Proxy IdP + activationConditions

Mak, Steve makst at upenn.edu
Tue Jan 19 16:16:26 UTC 2021 

So I think I need some more help with proxy IdP, this time I'm trying to do some activation conditions.

When proxy idp attributes come back (this is working), I'm trying to join with data we have locally from a DataConnector (db containing entitlements) and then do an activationCondition on the local entitlement to use for controlling whether we allow the proxy idp attributes resolve into attributes for the service. So far everything works except the activation condition isn't properly denying my attributes and I think I'm doing something wrong.

Flow logic:
	proxy attributes received > resolve proxy subject > build data connector results using proxy subject as $resolutionContext.principal > resolve epe-proxy > resolve idp attributes if activationCondition is true > build SAML assertion/response


Config below (somewhat redacted) --

proxy subject:
    <AttributeDefinition id="subject-proxy" xsi:type="SubjectDerivedAttribute" forCanonicalization="true" principalAttributeName="proxy-employeeNumber"/>

Data connector:
    <DataConnector id="entitlements-for-proxy" xsi:type="RelationalDatabase">
        <BeanManagedConnection>global-datasource</BeanManagedConnection>
        <QueryTemplate><![CDATA[
                SELECT "EMP_NUM", "GROUP_NAME" AS "EPE"
                FROM "SHIBBOLETH_ENTITLEMENTS_VIEW"
                WHERE "EMP_NUM" = (regexp_match('$resolutionContext.principal','(^[0-9]+$)'))[1]::bigint;
            ]]>
        </QueryTemplate>
        <Column columnName="EMP_NUM" attributeID="employeeNumber"/>
        <Column columnName="EPE" attributeID="eduPersonEntitlement"/>
        <ResultCache expireAfterWrite="PT15M"/>
    </DataConnector>

entitlement created locally:
    <AttributeDefinition id="epe-proxy" xsi:type="Simple" activationConditionRef="ProxyPerson">
        <InputDataConnector ref="entitlements-for-proxy" attributeNames="eduPersonEntitlement"/>
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
    </AttributeDefinition>

Activation condition in global.xml or new file loaded via services.xml:
    <bean id="ProxyPerson" parent="shibboleth.Conditions.AND">
        <constructor-arg>
            <bean parent="shibboleth.Conditions.OR">
                <constructor-arg>
                    <list>
                        <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="{redacted - service 1}"/>
                        <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="{redacted - service 2}"/>
                    </list>
                </constructor-arg>
            </bean>
        </constructor-arg>
        <constructor-arg>
            <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate" p:useUnfilteredAttributes="true">
                <property name="attributeValueMap">
                    <map>
                        <entry key="epe-proxy">
                            <list>
                                <value>{redacted - specific entitlement value to check}</value>
                            </list>
                        </entry>
                    </map>
                </property>
            </bean>
        </constructor-arg>
    </bean>

More information about the users mailing list