Using different attribute maps for different SP-side applications

Juha Kervinen juha.kervinen at trusteq.com
Thu Jan 19 08:11:49 GMT 2012


Hi,
I'm trying to accomplish following behavior on Shibboleth SP
2.4.3(with apache 2.2).With two location definitions on the
httpd.conf:
<Location /application_1/> AuthType shibboleth ShibRequestSetting
requireSession 1 ShibUseHeaders On Require shibboleth</Location>
<Location /application_2/> AuthType shibboleth ShibRequestSetting
requireSession 1 ShibUseHeaders On Require shibboleth</Location>
I'd like to have requests coming in to these locations
handleddifferently and because of this I have the following
RequestMapperconfiguration in the shibboleth2.xml:
<RequestMap applicationId="default"> <Host name="sp.mydomain.com" port
= "443">   <Path name="application_1"
applicationId="app_one"authType="shibboleth"requireSession="true"/>
</Host> <Host name="sp.mydomain.com" port = "443">   <Path
name="application_2"applicationId="app_two"authType="shibboleth"
requireSession="true"/> </Host></RequestMap>
And Application declaration as follows:
<ApplicationDefaults id="default" policyId="default"
entityID="https://sp.mydomain.com/shibboleth"
homeURL="https://sp.mydomain.com" REMOTE_USER="SHIB_uid"
signing="front" encryption="false"> <Sessions lifetime="28800"
timeout="3600" checkAddress="false" handlerURL="/Shibboleth.sso"
handlerSSL="false"
exportLocation="http://localhost/Shibboleth.sso/GetAssertion"
idpHistory="false" idpHistoryDays="7">   <AttributeExtractor
type="XML" validate="true"
path="/etc/shibboleth/attribute-map.xml"/>   <AttributeResolver
type="Query"/>   <AttributeFilter
type="XML"validate="true"path="/etc/shibboleth/attribute-policy.xml"/>
  <CredentialResolver
type="File"key="/etc/shibboleth/sp-key.pem"certificate="/etc/shibboleth/sp-cert.pem"/>
  …. other configurations, omitted …..
 <!-- app_one --> <ApplicationOverride id="app_one"> <Sessions>   <SSO
entityID="https://organisation_one.com/idp/shibboleth"
target="https://sp.mydomain.com/application_1/">SAML2</SSO>
</Sessions> <AttributeExtractor type="XML"
validate="true"path="attribute-map_app1.xml" /> </ApplicationOverride>
  <!-- app_two -->
 <ApplicationOverride id="app_two">   <Sessions>   <SSO
entityID="https://organisation_two.com/idp/shibboleth"
target="https://sp.mydomain.com/application_2/">SAML2</SSO>
</Sessions>   <AttributeExtractor
type="XML"validate="true"path="attribute-map_app2.xml" />
</ApplicationOverride></ApplicationDefaults>
The goal of all this is to make the attributes be mapped
differentlyper IDP and application protected by shibboleth on the SP
(and in casethere is no explicit application mapping, then use the
default one).
For example, if IDP at organization 1 releases attributes A and B,
I'dlike to make them appear as A+B in SP, but for organization 2,
thesemight be B+A. (Yeah, I know, bad architecture on the
applicationside).
The SP application software is a legacy Perl application, so it
wouldbe possible to convert the attributes in Perl code to fit
theparticular instance of the application, but I'd like to isolate
theattribute handling in Shibboleth in order to not make the
applicationsany more complex than they already are.
Do I have the right approach here? Is this the way it's supposed
towork or am I reading the documentation wrong? Currently it's
justpushing everything through the default attribute map but this
might bea typo somewhere if the approach is otherwise correct?
Br,
JuhaK


More information about the users mailing list