Using different attribute maps for different SP-side applications
Juha Kervinen
juha.kervinen at trusteq.com
Thu Jan 19 08:34:00 GMT 2012
Hi,
Sorry, should have read
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride
Before posting... somehow I missed it... :-p
JuhaK
2012/1/19 Juha Kervinen <juha.kervinen at trusteq.com>:
> Hi,
> I'm trying to accomplish following behavior on Shibboleth SP
> 2.4.3(with apache 2.2).With two location definitions on the
> httpd.conf:
> <Location /application_1/> AuthType shibboleth ShibRequestSetting
> requireSession 1 ShibUseHeaders On Require shibboleth</Location>
> <Location /application_2/> AuthType shibboleth ShibRequestSetting
> requireSession 1 ShibUseHeaders On Require shibboleth</Location>
> I'd like to have requests coming in to these locations
> handleddifferently and because of this I have the following
> RequestMapperconfiguration in the shibboleth2.xml:
> <RequestMap applicationId="default"> <Host name="sp.mydomain.com" port
> = "443"> <Path name="application_1"
> applicationId="app_one"authType="shibboleth"requireSession="true"/>
> </Host> <Host name="sp.mydomain.com" port = "443"> <Path
> name="application_2"applicationId="app_two"authType="shibboleth"
> requireSession="true"/> </Host></RequestMap>
> And Application declaration as follows:
> <ApplicationDefaults id="default" policyId="default"
> entityID="https://sp.mydomain.com/shibboleth"
> homeURL="https://sp.mydomain.com" REMOTE_USER="SHIB_uid"
> signing="front" encryption="false"> <Sessions lifetime="28800"
> timeout="3600" checkAddress="false" handlerURL="/Shibboleth.sso"
> handlerSSL="false"
> exportLocation="http://localhost/Shibboleth.sso/GetAssertion"
> idpHistory="false" idpHistoryDays="7"> <AttributeExtractor
> type="XML" validate="true"
> path="/etc/shibboleth/attribute-map.xml"/> <AttributeResolver
> type="Query"/> <AttributeFilter
> type="XML"validate="true"path="/etc/shibboleth/attribute-policy.xml"/>
> <CredentialResolver
> type="File"key="/etc/shibboleth/sp-key.pem"certificate="/etc/shibboleth/sp-cert.pem"/>
> …. other configurations, omitted …..
> <!-- app_one --> <ApplicationOverride id="app_one"> <Sessions> <SSO
> entityID="https://organisation_one.com/idp/shibboleth"
> target="https://sp.mydomain.com/application_1/">SAML2</SSO>
> </Sessions> <AttributeExtractor type="XML"
> validate="true"path="attribute-map_app1.xml" /> </ApplicationOverride>
> <!-- app_two -->
> <ApplicationOverride id="app_two"> <Sessions> <SSO
> entityID="https://organisation_two.com/idp/shibboleth"
> target="https://sp.mydomain.com/application_2/">SAML2</SSO>
> </Sessions> <AttributeExtractor
> type="XML"validate="true"path="attribute-map_app2.xml" />
> </ApplicationOverride></ApplicationDefaults>
> The goal of all this is to make the attributes be mapped
> differentlyper IDP and application protected by shibboleth on the SP
> (and in casethere is no explicit application mapping, then use the
> default one).
> For example, if IDP at organization 1 releases attributes A and B,
> I'dlike to make them appear as A+B in SP, but for organization 2,
> thesemight be B+A. (Yeah, I know, bad architecture on the
> applicationside).
> The SP application software is a legacy Perl application, so it
> wouldbe possible to convert the attributes in Perl code to fit
> theparticular instance of the application, but I'd like to isolate
> theattribute handling in Shibboleth in order to not make the
> applicationsany more complex than they already are.
> Do I have the right approach here? Is this the way it's supposed
> towork or am I reading the documentation wrong? Currently it's
> justpushing everything through the default attribute map but this
> might bea typo somewhere if the approach is otherwise correct?
> Br,
> JuhaK
--
Juha Kervinen, Lead Architect
Trusteq Oy - http://www.trusteq.com
Keilaranta 19, FIN-02150 Espoo, FINLAND
Mobile: +358 50 435 3776, Fax: +358 10 387 8479
email: juha.kervinen at trusteq.com
More information about the users
mailing list