wish list: ability to define reusable blocs in SP configuration

Guillaume Rousse guillaume.rousse at renater.fr
Mon Aug 13 09:47:03 EDT 2018


Le 06/08/2018 à 17:07, Cantor, Scott a écrit :
>> BTW, this organisational issue aside, how do you distinguish between
>> different federations, with just attribute-based filtering ? Some kind of SP-
>> set 'is-member-of' attribute ?
> 
> Federations don't exist in SAML, so there is no technical representation of that. IDP-wise, it's not recommended to do it, but you can always enforce rules by IdP and since you can do that structurally via access control rules, you can do it with no impact on the applications as a transition tool.
> 
>> I fear than switching from SP-based routing to Apache-based routing would
>> just be moving complexity from one part to another, with additional binding
>> with different pieces of software moreover. I'd be more interested in a
>> content-based rule on SP side, here, instead of hardwiring an application list
>> on DS side.
> 
> And, you can. I checked, discoveryURL is a content setting. Already done.
Thanks for those explanation.

I rode content mapper documentation carefuly. If I understand it 
correctly, our use could could get simplified considerably by loading 
all metadata (at least, for the default federation and the guest IdP) in 
the ApplicationDefaults section of SP configuration file, and then 
adding access restrictions based on Shib-Identity-Provider value in 
application-specific apache configuration files, ie:

shibboleth2.xml:
<ApplicationDefaults entityID="https://proxy_entityid">
   <SSO
     discoveryProtocol="SAMLDS"
     discoveryURL="https://discovery_federation+guest_idp">SAML2</SSO>

     <MetadataProvider type="Chaining">
       <MetadataProvider type="XML"
         url="https://federation_metadata.xml"
         backingFilePath="/var/cache/shibboleth/federation_metadata.xml">
         <MetadataFilter type="Signature" certificate="federation.crt"/>
       </MetadataProvider>
       <MetadataProvider type="XML"
         url="https://guest_idp_metadata.xml"
         backingFilePath="/var/cache/shibboleth/guest_idp_metadata.xml">
         <MetadataFilter type="Signature" certificate="guest_idp.crt"/>
       </MetadataProvider>
     </MetadataProvider>

</ApplicationDefaults>

app1.conf (restricted to federation only):
  <Location />
     AuthType shibboleth
     ShibRequestSetting requireSession true
     ShibRequestSetting entityIDSelf app1_entityid
     ShibRequestSetting discoveryURL https://discovery_federation_only
     ShibUseHeaders On
     Require shib-session
     Require shib-attr Shib-Identity-Provider ! guest_idp_entityd
</Location>

app2.conf (authorized to federation + guest IdP):
  <Location />
     AuthType shibboleth
     ShibRequestSetting requireSession true
     ShibRequestSetting entityIDSelf app2_entityid
     ShibUseHeaders On
     Require shib-session
</Location>

Am I correct ?

Regards.
-- 
Guillaume Rousse
Pôle SSI

Tel: +33 1 53 94 20 45
www.renater.fr

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3637 bytes
Desc: Signature cryptographique S/MIME
URL: <http://shibboleth.net/pipermail/users/attachments/20180813/7ba7f6cf/attachment.p7s>


More information about the users mailing list