SAML2/Shibb client login to Gartner

Morgan, Andrew Jason morgan at oregonstate.edu
Mon Nov 25 19:03:51 EST 2019 

It wasn't too hard...

Here is what I have in metadata-providers.xml:

    <!-- gartner metadata -->
    <MetadataProvider id="gartner" xsi:type="FileBackedHTTPMetadataProvider"
                      xmlns="urn:mace:shibboleth:2.0:metadata"
                      metadataURL="https://ssofed.gartner.com/pf/federation_metadata.ping?PartnerIdpId=https://login.oregonstate.edu/idp/shibboleth"
                      backingFile="%{idp.home}/metadata/gartner.xml"
                      minRefreshDelay="PT5M"
                      maxRefreshDelay="PT1H"
                      refreshDelayFactor="0.75">
        <MetadataFilter xsi:type="Predicate" direction="include" removeEmptyEntitiesDescriptors="true" trim="true">
            <Entity>http://www.gartner.com</Entity>
        </MetadataFilter>
    </MetadataProvider>

and attribute-filter.xml:

    <!-- gartner filters -->
    <AttributeFilterPolicy id="gartner">
        <PolicyRequirementRule xsi:type="Requester" value="http://www.gartner.com" />
        <AttributeRule attributeID="eduPersonPrincipalName">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="surname">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="givenName">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
    </AttributeFilterPolicy>

They wanted us to perform access control, so I use an intercept for that.

Let me know if you have any questions.

Thanks,
Andy Morgan
Identity & Access Management
Oregon State University

________________________________
From: users <users-bounces at shibboleth.net> on behalf of IAM David Bantz <dabantz at alaska.edu>
Sent: Monday, November 25, 2019 3:42 PM
To: Shib Users <users at shibboleth.net>
Subject: SAML2/Shibb client login to Gartner

I've been asked to look into SSO client login to Gartner. Archives have a several-year-old discussion in which Yale and CMU indicate they did get Gartner client logins relying on their Shibb IdP with unusual effort. I'm hoping for details, documentation, and/or updates from participants here.

David Bantz
UA OIT IAM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191126/24706b1b/attachment.html>

More information about the users mailing list