Cherwell application (on-prem)
IAM David Bantz
db at alaska.edu
Mon Apr 29 13:43:10 EDT 2019
UAlaska is currently using Cherwell Service Management with Shibb 3.3.1 and
3.4.3 instances of IdP with no config differences.
Two unusual aspects of Cherwell:
1. Both thick (Windows) clients and web browser interface is supported. To
support both as seamlessly as possible, our AD team asked that we identify
users of the web client with an identifier including the Windows domain,
like ua\username. This required ginning up that identifier in
attribute-resolver.xml
2. Cherwell did (at least when we first integrated access with Shibboleth
years ago) require a subject nameID with "kerberos" format. We did this
integration with the initial roll-out of Cherwell with on-site vendor
support. My recollection is that we tried other formats but were unable to
get the SP to accept the assertion without that kerberos format (Scott's 1%
perhaps?), which was in turn modeled on the vendor's experience at another
famous University.
To accommodate these requirements, we have the following customizations for
Cherwell in our Shibboleth config
(you may consider these inconsistent, stupid or wrong, but they've been
working reliably for us):
in attribute-resolver.xml:
<!-- build an attribute to use with Cherwell: value = ua\uausername -->
<AttributeDefinition
id="domainUsername"
xsi:type="ScriptedAttribute"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:resolver="urn:mace:shibboleth:2.0:resolver">
<!-- use UA Username ~netid previously resolved -->
<Dependency ref="uaUsername" />
<AttributeEncoder
xsi:type="SAML2String"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
friendlyName="username" />
<Script>
<![CDATA[
usernamewodomain = uaUsername.getValues().get(0);
domainUsername.addValue("ua\\" +
uaUsername.getValues().get(0));
logger.debug("added domain to username witih result = " +
domainUsername.getValues() );
]]>
</Script>
</AttributeDefinition>
in saml-nameid.xml:
<!-- Kerberos NameId for Cherwell -->
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
format="urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos"
attributeSourceIds="#{ {'domainUsername'} }">
<property name="activationCondition">
<bean parent="shibboleth.Conditions.RelyingPartyId"
candidates="#{ {
'https://ualaska.cherwellondemand.com',
'https://ualaskatest.cherwellondemand.com'
} }"/>
</property>
</bean>
As a result the resulting SAML assertion to Cherwell, prior to encryption,
includes:
<Subject>
<saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos"
NameQualifier="urn:mace:incommon:alaska.edu"
SPNameQualifier="https://ualaska.cherwellondemand.com">
ua\dabantz</saml2:NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData Address="••••••"
InResponseTo="_0a35fb42-82f2-44f4-b8d5-841eef7bb0e9"
NotOnOrAfter="2019-04-29T17:08:42.600Z"
Recipient="
https://ualaska.cherwellondemand.com/cherwellservice/Saml/Assertion.aspx"/>
</SubjectConfirmation>
</Subject>
David Bantz
UA OIT IAM
On Mon, Apr 29, 2019 at 6:03 AM Lohr, Donald <lohrda at jmu.edu> wrote:
> While doing some web searching over the weekend I found the following url:
>
> https://iam.alaska.edu/shib/wiki/Cherwell
>
> Was this config based in Shib IdP 2.x? If I may, are you running Shib IdP
> 3.x, if so what does your Shib IdP 3.x config look like for Cherwell?
>
> We are running Shib IdP 3.3.3.
>
> Thanks,
> Don
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190429/aafbbe1a/attachment.html>
More information about the users
mailing list