wish list: ability to define reusable blocs in SP configuration
Guillaume Rousse
guillaume.rousse at renater.fr
Mon Aug 13 09:47:03 EDT 2018
Le 06/08/2018 à 17:07, Cantor, Scott a écrit :
>> BTW, this organisational issue aside, how do you distinguish between
>> different federations, with just attribute-based filtering ? Some kind of SP-
>> set 'is-member-of' attribute ?
>
> Federations don't exist in SAML, so there is no technical representation of that. IDP-wise, it's not recommended to do it, but you can always enforce rules by IdP and since you can do that structurally via access control rules, you can do it with no impact on the applications as a transition tool.
>
>> I fear than switching from SP-based routing to Apache-based routing would
>> just be moving complexity from one part to another, with additional binding
>> with different pieces of software moreover. I'd be more interested in a
>> content-based rule on SP side, here, instead of hardwiring an application list
>> on DS side.
>
> And, you can. I checked, discoveryURL is a content setting. Already done.
Thanks for those explanation.
I rode content mapper documentation carefuly. If I understand it
correctly, our use could could get simplified considerably by loading
all metadata (at least, for the default federation and the guest IdP) in
the ApplicationDefaults section of SP configuration file, and then
adding access restrictions based on Shib-Identity-Provider value in
application-specific apache configuration files, ie:
shibboleth2.xml:
<ApplicationDefaults entityID="https://proxy_entityid">
<SSO
discoveryProtocol="SAMLDS"
discoveryURL="https://discovery_federation+guest_idp">SAML2</SSO>
<MetadataProvider type="Chaining">
<MetadataProvider type="XML"
url="https://federation_metadata.xml"
backingFilePath="/var/cache/shibboleth/federation_metadata.xml">
<MetadataFilter type="Signature" certificate="federation.crt"/>
</MetadataProvider>
<MetadataProvider type="XML"
url="https://guest_idp_metadata.xml"
backingFilePath="/var/cache/shibboleth/guest_idp_metadata.xml">
<MetadataFilter type="Signature" certificate="guest_idp.crt"/>
</MetadataProvider>
</MetadataProvider>
</ApplicationDefaults>
app1.conf (restricted to federation only):
<Location />
AuthType shibboleth
ShibRequestSetting requireSession true
ShibRequestSetting entityIDSelf app1_entityid
ShibRequestSetting discoveryURL https://discovery_federation_only
ShibUseHeaders On
Require shib-session
Require shib-attr Shib-Identity-Provider ! guest_idp_entityd
</Location>
app2.conf (authorized to federation + guest IdP):
<Location />
AuthType shibboleth
ShibRequestSetting requireSession true
ShibRequestSetting entityIDSelf app2_entityid
ShibUseHeaders On
Require shib-session
</Location>
Am I correct ?
Regards.
--
Guillaume Rousse
Pôle SSI
Tel: +33 1 53 94 20 45
www.renater.fr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3637 bytes
Desc: Signature cryptographique S/MIME
URL: <http://shibboleth.net/pipermail/users/attachments/20180813/7ba7f6cf/attachment.p7s>
More information about the users
mailing list