Better approach to do Authorization in shibboleth
Andrew Morgan
morgan at orst.edu
Thu Dec 4 13:31:36 EST 2014
On Thu, 4 Dec 2014, Surinaidu Majji wrote:
> Thank you very much @Andy for your reply after looking into my query deeply.
> I got better understanding about shibboleth flow when i saw your reply.
>
> The Shibboleth IDP performs authentication via a variety of methods.
> ->Here i am using 'ExternalAuth' in which it goes to the my custom Url to
> make further processing.
>
> If you want to change the login.jsp script to
> validate credentials against a different database, you can do that.
> -> Yes I can do that and here i am thinking that only to deal with one
> login.jsp for both the databases, any way that depends on my design.
>
> After authentication is successful, the Shibboleth IDP will attempt to
> resolve attributes (find more information about) the principal returned by
> the authentication step
> - since i am using 'ExternalAuth', and i am not using any 'UserName'
> particularly
> i am writing the code which is according to the shibboleth website for
> externalAuth(use subject to get control over principal)
>
> This code is written after authentication is successful against my database.
> request.setAttribute(globalStrings.getForceAuthn(), false);
> Principal principal = new UsernamePrincipal(login.getAttributes());
> Subject subj = new Subject();
> subj.getPrincipals().add(principal);
> request.setAttribute(LoginHandler.PRINCIPAL_KEY, principal);
> request.setAttribute(LoginHandler.PRINCIPAL_NAME_KEY, personId);
> request.setAttribute(LoginHandler.SUBJECT_KEY, subj);
> request.setAttribute(globalStrings.getAuthnMethod(),
> this.authenticationMethod);
> AuthenticationEngine.returnToAuthenticationEngine(request, response);
It is my understanding that the attributes released by the IDP *only* come
from the attribute resolution step. I don't think attributes can be added
by the external auth handler. It should be using the "principal" as the
key to lookup additional attributes in your Data Connector.
> The attribute resolution is configured in attribute-resolver.xml.
> - The below is my attribute-resolver.xml to resolve the attributes, please
> look into it.
>
> <resolver:AttributeDefinition id="principal" xsi:type="PrincipalName"
> xmlns="urn:mace:shibboleth:2.0:resolver:ad">
>
> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" />
>
> <resolver:AttributeEncoder xsi:type="SAML2Base64"
> xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
> name="ORG_ATTRIBUTE_64" />
> <resolver:AttributeEncoder xsi:type="SAML2String"
> xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
> name="ORG_ATTRIBUTE" />
> for the above, there is no "dataconnector" is used.
>
> attribute-filter.xml:
>
> <afp:AttributeFilterPolicy id="releaseBasicAttributesToAnyone">
> <afp:PolicyRequirementRule xsi:type="basic:ANY"/>
> <afp:AttributeRule attributeID="principal">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> </afp:AttributeFilterPolicy>
>
> So that i could be able to get the above principal(email, acctType etc) at
> SP side in 'SAMLResponse'.
>
>
> Common places to lookup additional information are a database or LDAP.
> - Here completely i am using our database, So there is no point of LDAP,
> you are saying additional information, can it be 'permissions of the
> user' which is from
> our database?
> - here how can get the required 'permission info'(authorization) from our
> database,
> - How to write it in the attribute-resolver.xml by using DataConnectors to
> get the perms of user.
> Please provide me some example for configuration which i can get the
> 'permissions of user'.
The distributed attribute-resolver.xml file has an example database Data
Connector:
<!-- Example Relational Database Connector -->
<!--
<resolver:DataConnector id="mySIS" xsi:type="dc:RelationalDatabase">
<dc:ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver"
jdbcURL="jdbc:oracle:thin:@db.example.org:1521:SomeDB"
jdbcUserName="myid"
jdbcPassword="mypassword" />
<dc:QueryTemplate>
<![CDATA[
SELECT * FROM student WHERE gzbtpid = '$requestContext.principalName'
]]>
</dc:QueryTemplate>
<dc:Column columnName="gzbtpid" attributeID="uid" />
<dc:Column columnName="fqlft" attributeID="gpa" type="Float" />
</resolver:DataConnector>
-->
I use LDAP here, but this looks pretty easy to me. Enter your connection
string, a SQL query, and column-to-attributeID mapping.
> After attribute resolution is complete, the Shibboleth IDP will filter
> those attributes according to the configuration in attribute-filter.xml.
> Only the attributes you configure will be released to the SP.
>
> The SP can then use those attributes to making authorization decisions.
> - > Yes, if i can do configuration in attribute-resolver and
> attribute-filter.xml, i can use at SP side
> from SAMLResponse.
> If you can provide me answers for my above questions, i think i can
> complete my task.
Keep asking questions, we'll keep trying to answer them. :)
Andy
More information about the users
mailing list