Shibbolizing NetPartner - Working Example - Information Purpsoe only

mrahman mrahman at brookdalecc.edu
Wed Nov 19 17:09:01 EST 2014 

I had to dig around for a while to get this going, and finally was able to
make it work, with the help of Nate Klingenstein of internet2, Etan Wintraub
at Jonhs Hopkins U and David Langenberg in uchicago - thanks for all of your
help guys.

Here is the solution with Shib 2.4.2: 
=======================

Since NetPartner does not supply any metadata, you need to create on your
own - it can be inlinemetadata or filebacked metadata for the
relaying-party.xml. 

This is what I have in my net partner metadata file placed in the /metadata
folder in the IDP installation metadata directory: 
<EntityDescriptor entityID="NetPartner" 
	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> 
	<SPSSODescriptor 
	protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> 

<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat> 
	<AssertionConsumerService index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
	Location="https://netpartnerhost/NetPartner/NetPartnerStudent/Logon.aspx"
/> 
	</SPSSODescriptor> 
</EntityDescriptor> 

Then in your relaying-party.xml, load the metadata: 
 
	<metadata:MetadataProvider id="NetPartnerSP"
xsi:type="FilesystemMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata" 
	metadataFile="c:\opt\shibboleth-idp\metadata\netPartner-metadata.xml"
maintainExpiredMetadata="true"> 
	</metadata:MetadataProvider> 

In your attribute-resolver, add this: 

 
<resolver:AttributeDefinition id="netPartnerStudentID" 
	xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" 
 sourceAttributeID="employeeID"> 
 <resolver:Dependency ref="myLDAP" /> 

 <resolver:AttributeEncoder 
	xsi:type="SAML1StringNameIdentifier" 
	xmlns="urn:mace:shibboleth:2.0:attribute:encoder" 
	nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /> 
	<resolver:AttributeEncoder xsi:type="SAML2StringNameID" 
	xmlns="urn:mace:shibboleth:2.0:attribute:encoder" 
	nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /> 
</resolver:AttributeDefinition> 

and in attribute-filter set a new filter: 
	 
	<afp:AttributeFilterPolicy id="releaseForNetPartnerSP" > 
	<afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
value="NetPartner" /> 
	<afp:AttributeRule attributeID="netPartnerStudentID"> 
	<afp:PermitValueRule xsi:type="basic:ANY" /> 
	</afp:AttributeRule> 
	</afp:AttributeFilterPolicy> 

then back in your relaying-party.xml add an override for RelayingParty after
the DefaultRelayingParty tag: 

	<rp:RelyingParty id="NetPartner" 
 provider="https://youridphostFQDN/idp/profile/SAML2/Redirect/SSO" 
 defaultSigningCredentialRef="IdPCredential"> 
	<rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile" 
	encryptAssertions="never" encryptNameIds="never" /> 
	</rp:RelyingParty> 

which is basically telling to override the assertion encryption for
NetPartner bound assertions - NP does not have a mechanism to accommodate
encrypted messages.

And finally then go to your netpartnerManager/Logon.aspx page and update the
values: 
IDP Url: https://youridpFQDN/idp/profile/SAML2/Redirect/SSO 
Protocol Binding: Post 
and upload your IDPs public cert 

That should do it. 

Thanks.
-Moe
mrahman at brookdalecc.edu



--
View this message in context: http://shibboleth.1660669.n2.nabble.com/Shibbolizing-NetPartner-Working-Example-Information-Purpsoe-only-tp7609121.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.

More information about the users mailing list