Better approach to do Authorization in shibboleth

Andrew Morgan morgan at orst.edu
Thu Dec 4 13:31:36 EST 2014 

On Thu, 4 Dec 2014, Surinaidu Majji wrote:

> Thank you very much @Andy for your reply after looking into my query deeply.
> I got better understanding about shibboleth flow when i saw your reply.
>
> The Shibboleth IDP performs authentication via a variety of methods.
> ->Here i am using 'ExternalAuth' in which it goes to the my custom Url to
> make further processing.
>
> If you want to change the login.jsp script to
> validate credentials against a different database, you can do that.
> -> Yes I can do that and here i am thinking that only to deal with one
> login.jsp for both the databases, any way that depends on my design.
>
> After authentication is successful, the Shibboleth IDP will attempt to
> resolve attributes (find more information about) the principal returned by
> the authentication step
> - since i am using 'ExternalAuth', and i am not  using any 'UserName'
> particularly
> i am writing the code which is according to the shibboleth website for
> externalAuth(use subject to get control over principal)
>
> This code is written after authentication is successful against my database.
> request.setAttribute(globalStrings.getForceAuthn(), false);
> Principal principal = new UsernamePrincipal(login.getAttributes());
> Subject subj = new Subject();
> subj.getPrincipals().add(principal);
> request.setAttribute(LoginHandler.PRINCIPAL_KEY, principal);
> request.setAttribute(LoginHandler.PRINCIPAL_NAME_KEY, personId);
> request.setAttribute(LoginHandler.SUBJECT_KEY, subj);
> request.setAttribute(globalStrings.getAuthnMethod(),
> this.authenticationMethod);
> AuthenticationEngine.returnToAuthenticationEngine(request, response);

It is my understanding that the attributes released by the IDP *only* come 
from the attribute resolution step.  I don't think attributes can be added 
by the external auth handler.  It should be using the "principal" as the 
key to lookup additional attributes in your Data Connector.

> The attribute resolution is configured in attribute-resolver.xml.
> - The below is my attribute-resolver.xml to resolve the attributes, please
> look into it.
>
> <resolver:AttributeDefinition id="principal" xsi:type="PrincipalName"
> xmlns="urn:mace:shibboleth:2.0:resolver:ad">
>
>   <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" />
>
> <resolver:AttributeEncoder xsi:type="SAML2Base64"
> xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
>                                name="ORG_ATTRIBUTE_64" />
>  <resolver:AttributeEncoder xsi:type="SAML2String"
> xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
>                                name="ORG_ATTRIBUTE" />
> for the above, there is no "dataconnector" is used.
>
> attribute-filter.xml:
>
> <afp:AttributeFilterPolicy id="releaseBasicAttributesToAnyone">
>        <afp:PolicyRequirementRule xsi:type="basic:ANY"/>
>        <afp:AttributeRule attributeID="principal">
>                <afp:PermitValueRule xsi:type="basic:ANY" />
>        </afp:AttributeRule>
>    </afp:AttributeFilterPolicy>
>
> So that i could be able to get the above principal(email, acctType etc) at
> SP side in 'SAMLResponse'.
>
>
> Common places to lookup additional information are a database or LDAP.
> - Here completely i am using our database, So there is no point of LDAP,
>  you are saying additional information, can it be 'permissions of the
> user' which is from
> our database?
> - here how can get the required 'permission info'(authorization) from our
> database,
> - How to write it in the attribute-resolver.xml by using DataConnectors to
> get the perms of user.
> Please provide me some example for configuration which i can get the
> 'permissions of user'.

The distributed attribute-resolver.xml file has an example database Data 
Connector:

     <!-- Example Relational Database Connector -->
     <!--
     <resolver:DataConnector id="mySIS" xsi:type="dc:RelationalDatabase">
         <dc:ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver"
                                          jdbcURL="jdbc:oracle:thin:@db.example.org:1521:SomeDB"
                                          jdbcUserName="myid"
                                          jdbcPassword="mypassword" />
         <dc:QueryTemplate>
             <![CDATA[
                 SELECT * FROM student WHERE gzbtpid = '$requestContext.principalName'
             ]]>
         </dc:QueryTemplate>

         <dc:Column columnName="gzbtpid" attributeID="uid" />
         <dc:Column columnName="fqlft" attributeID="gpa" type="Float" />
     </resolver:DataConnector>
      -->

I use LDAP here, but this looks pretty easy to me.  Enter your connection 
string, a SQL query, and column-to-attributeID mapping.

> After attribute resolution is complete, the Shibboleth IDP will filter
> those attributes according to the configuration in attribute-filter.xml.
> Only the attributes you configure will be released to the SP.
>
> The SP can then use those attributes to making authorization decisions.
> - > Yes, if i can do configuration in attribute-resolver and
> attribute-filter.xml, i can use at SP side
>   from SAMLResponse.
> If you can provide me answers for my above questions, i think i can
> complete my task.

Keep asking questions, we'll keep trying to answer them.  :)

 	Andy

More information about the users mailing list