Access Denied

Robert Bradley robert.bradley at it.ox.ac.uk
Wed Aug 8 08:12:51 EDT 2018 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 07/08/18 19:49, Tabitha O. Locklear wrote:
> Back when we first created a login for our SP we used this
> documentation.
> 
> 1.  have a deny policy to not release transient ID
> 
> 2.  new definition for username in resolver the username not as
> string, but nameid
> 
> 3.  release this username to SP
> 
> 4. nameid's cannot be encrypted
> 
> 
> 
> 
> 
> In our Attribute-Filter.xml we have
> 
> STEP 1:
> 
> <afp:AttributeFilterPolicy id="releaseTransientId">
> 
> <afp:PolicyRequirementRule xsi:type="basic:NOT">
> 
> <basic:Rule xsi:type="basic:AttributeRequesterString"
> value="https://xxxx-stg.saasit.com/" />
> 
> </afp:PolicyRequirementRule>
> 
> <afp:AttributeRule attributeID="transientId">
> 
> <afp:PermitValueRule xsi:type="basic:ANY"/>
> 
> </afp:AttributeRule>
> 
> </afp:AttributeFilterPolicy>
> 
> 
> 
> STEP 2:
> 
> <resolver:AttributeDefinition id="Login" xsi:type="Simple"
> xmlns="urn:mace:shibboleth:2.0:resolver:ad"
> 
> sourceAttributeID="sAMAccountName">
> 
> <resolver:Dependency ref="myAD" />
> 
> <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier"
> xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
> 
> nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:transient"
> />
> 
> <resolver:AttributeEncoder xsi:type="SAML2StringNameID"
> xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
> 
> nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
> />
> 
> </resolver:AttributeDefinition>
> 
> 
> 
> STEP 3:
> 
> <AttributeFilterPolicy id="releaseLoginToSAASIT">
> 
> <PolicyRequirementRule xsi:type="Requester"
> value="https://uncp-stg.saasit.com/" />
> 
> 
> 
> <AttributeRule attributeID="Login">
> 
> <PermitValueRule xsi:type="ANY" />
> 
> </AttributeRule>
> 
> </AttributeFilterPolicy>
> 
If that saasit.com entityID is what I think it is, you probably don't
need any of the custom NameID stuff for this...

Instead, you should be able to release the Login attribute as a normal
attribute (called sAMAccountName in this example) and configure HEAT
to use that attribute as the login ID
(https://help.ivanti.com/ht/help/en_US/ISM/2017/Content/Configure/Securi
ty/ADFS%20SAML.htm
has details on the cloud-side of this).  The attribute-resolver.xml
then would look something like (in v3 syntax):

    <resolver:AttributeDefinition id="sAMAccountName"
xsi:type="ad:Simple" sourceAttributeID=id="sAMAccountName">
        <resolver:Dependency ref="myAD" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String"
name="urn:oid:1.2.840.113556.1.4.221" friendlyName="sAMAccountName"
encodeType="false" />
    </resolver:AttributeDefinition>

In the "provisioning attributes" configuration, LoginID would be
mapped to "urn:oid:1.2.840.113556.1.4.221" (MS's OID for sAMAccountName)
.

The attribute-filter.xml fragment would look like:

    <afp:AttributeFilterPolicy id="attributeFilterPolicyForUucpStgSaasit
">
        <afp:PolicyRequirementRule
xsi:type="basic:AttributeRequesterString"
value="https://uncp-stg.saasit.com/" />

        <afp:AttributeRule attributeID="sAMAccountName">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
    </afp:AttributeFilterPolicy>

Lastly, the default signing algorithm used by HEAT is SHA-1.  You will
either need to configure it to use SHA-256 in their Web interface or
use relying-party.xml to override it:

    <bean id="SHA1SecurityConfig"
parent="shibboleth.DefaultSecurityConfiguration"

p:signatureSigningConfiguration-ref="shibboleth.SigningConfiguration.SHA
1"
/>
...
    <util:list id="shibboleth.RelyingPartyOverrides">
        <bean parent="RelyingPartyByName"
c:relyingPartyIds="#{{'https://uncp-stg.saasit.com/',
'https://uncp.saasit.com/'}}">
            <property name="profileConfigurations">
                <list>
                    <bean parent="SAML2.SSO"
p:securityConfiguration-ref="SHA1SecurityConfig"
p:signAssertions="true" />
                </list>
            </property>
        </bean>
...
    </util:list>

Hope this helps...

- -- 
Dr Robert Bradley
Identity and Access Management Team, IT Services, University of Oxford
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEgF3NFfO9FqlA+ME+lGGnynav474FAltq3jgACgkQlGGnynav
476PSA/9GvBc2klBXapMl+V+G4BRhMGuZq2wYF7FBrIX/5SYEDy+CCAd/Xmn7dM4
EvAD0XjJjhdXiYrlVACoF+GPQfNYP3O2VpCLGBJWbVh6nBQLRQS2pQMH1xjss2QA
JhJJM5STM83ndmMorFGNVaDIiFKKOw80TS7frTh1RQcZxije2XQ1njqaxC6wBvP/
yY/P4tHXbA/bwRJnWEEn5PsU13DEE0Bi89djOKPBNuGqmgV4A0AbHEs9WWA6zrtz
B50jtMnjt/EWofV2iu6RKDvuW93iH5bOSGWVym9DB00T1UqzHsr3KjbJxhbwACBU
Ym1Ma+musaTX/jOdBWdHwVZTpt7m6qiuqATvToJqumNlVcr+MIdJPwG4d3IXR/Qq
eXOBBxqpDWASdvGZw0X8ALs3s2zaPGAjuBoNnWRCFrUQigJ0v1JyPKhDZjt+GUlC
42uuKbEqvsedjb5/h+qlHSHwSDp8AmdhIcnrkGEkZN5brxhsTUAjSecONngysWZ4
jl6Q8jH7CY3kvefDAjiIWoDBbr/SdR/RZOr9bc7ASlyZGBgmrAxnFYYwHcK0QAZK
KLgGgC6IHJsM2UAB3G/jCcL+oDHJdP9B8QD1XrbflK0tsmxh3Ik1MLrM0WK0Nyef
oX6XBOQ2spbQsxRBdszsgrH8S1EsvgXKYEjdVVrRSqSFLPzjWpE=
=PSKD
-----END PGP SIGNATURE-----

More information about the users mailing list