The Federal E-Authentication profile specifies the SAML 1.0 artifact profile in conjunction with some restrictions on assertion content. ShibOnedotThree supports this profile.
The set-up process assumes that a complete InQueue installation and testing has been performed and you have a functional Shibboleth IdP. If not, complete that section first.
Example resolver.xml
snippet:
<SimpleAttributeDefinition id="commonName" sourceName="commonName" namespace="http://eauthentication.gsa.gov/federated/attribute"> <DataConnectorDependency requires="echo"/> </SimpleAttributeDefinition> |
Example web.xml
snippet:
<filter> <filter-name>SAML 1 to 1.1 Conversion Filter</filter-name> <filter-class>edu.internet2.middleware.shibboleth.utils.SAML1_0to1_1ConversionFilter</filter-class> </filter> <filter-mapping> <filter-name>SAML 1 to 1.1 Conversion Filter</filter-name> <url-pattern>/eAuthArt</url-pattern> </filter-mapping> |
The Sun AA implementation does not seem to work with the SSLVerifyClient optional_no_ca
Apache directive. To get around this, you must configure client-auth and create an appropriate trust bundle.
Example SAML 2.0 metadata for E-Authentication use: eAuth-sites.xml
Example idp.xml
file for E-Authentication use: idp.xml
The set-up process assumes that a complete InQueue installation and testing has been performed and you have a functional Shibboleth SP. If not, complete that section first.
shibboleth.xml
ConfigurationThe ShibbolethApplication being configured for EAuthenticationDeployment must have an AssertionConsumerService element inside its Sessions element set up as below:
<md:AssertionConsumerService xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" Location="/SAML/Artifact" index="1" Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" samlp:MinorVersion="0"> |
The index value can be anything as long as it's unique within the set of elements. The distinction with a normal artifact profile endpoint is the additional namespace-qualified MinorVersion attribute. This attribute defaults to 1, indicating support for SAML 1.1 in most Shibboleth configurations. Set it to 0 to enable SAML 1.0 support. This works for POST or artifact, but EAuthenticationDeployment requires the use of artifact.
Additional settings that may be helpful...
A starting policy file is attached: eauth-AAP.xml
Supplying MetaData for an EAuth CredentialServiceProvider is essentially the same as for any other Shibboleth IdentityProvider, except that: