Mecanismo de Autenticação

Confluence.fccn.pt

Instruções de configuração do servidor de identidade para o Educast.

Ficheiros

relying-party.xml - Autorização do serviço no IdP
attribute-resolver.xml - Resolução de Atributos
attribute-filter.xml - Filtragem dos atributos a libertar

Depois de alterados os ficheiros, o IdP deve ser reiniciado. O Serviço Educast pode ser acedido através do seguinte link: https://educast.fccn.pt.

Atributos Necessários

O serviço Educast utiliza os seguintes atributos.

Obrigatórios

Endereço de e-mail http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200806.html#mail
Primeiro Nome http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200806.html#givenName
Último Nome http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200806.html#sn
Nome da Organização http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200806.html#o
Tipo de Utilizador http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200806.html#eduPersonPrimaryAffiliation

Configurações Detalhadas

relying-party.xml

<!-- EDUcast -->
<RelyingParty id="https://educast.fccn.pt/shibboleth" 
  provider="[EntityID do IDP shibboleth]" 
  defaultSigningCredentialRef="IdPCredential" >
  <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" 
    encryptNameIds="conditional" />
</RelyingParty>

attribute-resolver.xml

<resolver:AttributeDefinition id="Givenname" xsi:type="Simple" 
  xmlns="urn:mace:shibboleth:2.0:resolver:ad" 
  sourceAttributeID="[Source no repositorio que possui o givenName]">
  <resolver:Dependency ref="[Connector ao repositorio de atributos]" />
  <resolver:AttributeEncoder xsi:type="SAML1String" 
    xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
    name="urn:mace:dir:attribute-def:INETORGPERSON_GIVENNAME" />
  <resolver:AttributeEncoder xsi:type="SAML2String" 
    xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
    name="urn:oid:2.5.4.42" friendlyName="INETORGPERSON_GIVENNAME" />
</resolver:AttributeDefinition>

<resolver:AttributeDefinition id="Surname" xsi:type="Simple" 
  xmlns="urn:mace:shibboleth:2.0:resolver:ad" 
  sourceAttributeID="="[Source no repositorio que possui o sn]">
  <resolver:Dependency ref="[Connector ao repositorio de atributos]"  />
  <resolver:AttributeEncoder xsi:type="SAML1String" 
    xmlns="urn:mace:shibboleth:2.0:attribute:encoder" 
    name="urn:mace:dir:attribute-def:PERSON_SURNAME" />
  <resolver:AttributeEncoder xsi:type="SAML2String" 
    xmlns="urn:mace:shibboleth:2.0:attribute:encoder" 
    name="urn:oid:2.5.4.4" friendlyName="PERSON_SURNAME" />
</resolver:AttributeDefinition>

<resolver:AttributeDefinition id="Mail" xsi:type="Simple" 
  xmlns="urn:mace:shibboleth:2.0:resolver:ad" 
  sourceAttributeID="[Source no repositorio que possui o mail]">
  <resolver:Dependency ref="[Connector ao repositorio de atributos]" />
  <resolver:AttributeEncoder xsi:type="SAML1String" 
  xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
  name="urn:mace:dir:attribute-def:INETORGPERSON_MAIL" />
  <resolver:AttributeEncoder xsi:type="SAML2String" 
  xmlns="urn:mace:shibboleth:2.0:attribute:encoder" 
  name="urn:oid:0.9.2342.19200300.100.1.3" 
  friendlyName="INETORGPERSON_MAIL" />
</resolver:AttributeDefinition>

<resolver:AttributeDefinition id="Entidade" 
  xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" 
  sourceAttributeID="[Source no repositorio que possui o atributo o]">
<resolver:Dependency ref="[identificador do DataConnector]" />
  <resolver:AttributeEncoder xsi:type="SAML1String" 
    xmlns="urn:mace:shibboleth:2.0:attribute:encoder" 
    name="urn:mace:dir:attribute-def:o"/>
  <resolver:AttributeEncoder xsi:type="SAML2String" 
    xmlns="urn:mace:shibboleth:2.0:attribute:encoder" 
    name="urn:oid:2.5.4.10" friendlyName="o" />
</resolver:AttributeDefinition>

<resolver:AttributeDefinition id="eduPersonPrimaryAffiliation" 
  xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" 
  sourceAttributeID="[Source no repositorio que possui o PersonAffiliation]">
  <resolver:Dependency ref="[Connector ao repositorio de atributos]" />
  <resolver:AttributeEncoder xsi:type="SAML1String" 
    xmlns="urn:mace:shibboleth:2.0:attribute:encoder" 
    name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" />
  <resolver:AttributeEncoder xsi:type="SAML2String" 
    xmlns="urn:mace:shibboleth:2.0:attribute:encoder" 
    name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" 
    friendlyName="eduPersonPrimaryAffiliation" />
</resolver:AttributeDefinition>

attribute-filter.xml

<!-- Atributos para o Servico EDUcast -->
<AttributeFilterPolicy>
  <PolicyRequirementRule xsi:type="basic:AttributeRequesterString" 
    value="https://educast.fccn.pt/shibboleth" />
  <AttributeRule attributeID="Mail">
    <PermitValueRule xsi:type="basic:ANY" />
  </AttributeRule>
  <AttributeRule attributeID="Givenname">
    <PermitValueRule xsi:type="basic:ANY" />
  </AttributeRule>
  <AttributeRule attributeID="Surname">
    <PermitValueRule xsi:type="basic:ANY" />
  </AttributeRule>
  <AttributeRule attributeID="Entidade">
    <PermitValueRule xsi:type="basic:ANY" />
  </AttributeRule>
  <AttributeRule attributeID="eduPersonPrimaryAffiliation">
    <PermitValueRule xsi:type="basic:ANY" />
  </AttributeRule>
</AttributeFilterPolicy>