Question about ResourceFilter

WULMS Alexander Alexander.WULMS at swift.com
Fri Sep 16 16:18:28 BST 2011 

Hi,

I'm using Shibboleth Idp 2.3.3. I'm currently experimenting with the ResourceFilter tag in the services.xml in order to inject some environment specific info into the config files like the attribute-filter.xml.

I have followed the instructions on https://wiki.shibboleth.net/confluence/display/SHIB2/IdPProdConfigFiles but it currently does not work as expected.

Before I applied the resource filter, I had a rule in the attribute-filter.xml that looked like:
<afp:AttributeFilterPolicy id="myServiceProvider">
      <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://service-provider.domain.com" />
        <afp:AttributeRule attributeID="mySpSpecificAttribute">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
</afp:AttributeFilterPolicy>

With this setup, the attribute mySpSpecificAttribute gets released into the SAML response for the service provider with entity-id https://service-provider.domain.com.

With that working I have made some changes:

1) I have enabled a resourcefilter on the attribute-filter.xml in the services.xml file:

<srv:Service id="shibboleth.AttributeFilterEngine" xsi:type="attribute-afp:ShibbolethAttributeFilteringEngine">
        <srv:ConfigurationResource file="C:\No_Backup\Apps\shibboleth\SWIFTConf/attribute-filter.xml" xsi:type="resource:FilesystemResource">
            <resource:ResourceFilter xsi:type="PropertyReplacement"
                                       xmlns="urn:mace:shibboleth:2.0:resource"
                                       propertyFile="C:\No_Backup\Apps\shibboleth\SWIFTConf\config.properties"/>
                </srv:ConfigurationResource>
    </srv:Service>

2) I have updated the attribute-filter.xml file to use a property instead of hardcoding the entity ID of the service provider:
<afp:AttributeFilterPolicy id="myServiceProvider">
      <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="${serviceprovider.entityId}" />
        <afp:AttributeRule attributeID="mySpSpecificAttribute">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
</afp:AttributeFilterPolicy>

3) I have made a config.properties file with following contents:
serviceprovider.entityId = https://service-provider.domain.com

However, with this configuration, the attribute mySpSpecificAttribute no longer gets released into the SAML response

Is the usage of the resource filter only applicable to a subset of the config files or only to a subset of the tags or a subset of the properties?

Any help or pointers to more detailed documentation are welcome.

Alex Wulms
Lead Developer, Swift.com development
Tel: + 32 2 655 3931
S.W.I.F.T. SCRL

This e-mail and any attachments thereto may contain information which is confidential and/or proprietary and intended for the sole use of the recipient(s) named above. If you have received this e-mail in error, please immediately notify the sender and delete the mail.  Thank you for your co-operation.  SWIFT reserves the right to retain e-mail messages on its systems and, under circumstances permitted by applicable law, to monitor and intercept e-mail messages to and from its systems.

Please visit http://www.swift.com<http://www.swift.com/> for more information about SWIFT.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20110916/aa0216e6/attachment.html

More information about the users mailing list