Difference between revisions of "Switch Shibboleth Backchannel and Attribute Query Plugin"

From swissbib
Jump to: navigation, search
 
Line 89: Line 89:
 
This will give you the current values of the SAML attributes from SWITCH edu-ID.
 
This will give you the current values of the SAML attributes from SWITCH edu-ID.
  
The value of the nameId argument is the end of the persistent-id, url-encoded. You can find it using the user table from the vufind database :
+
The value of the nameId argument is the end of the persistent-id, url-encoded (for example replace + with %2B). You can find it using the user table from the vufind database :
  
 
<syntaxhighlight>
 
<syntaxhighlight>

Latest revision as of 12:12, 4 November 2019

Attribute Query Plugin

The goal is to update attributes when people are not logged in (use case national licences).

Until Shibboleth SP 2.5, this is a plugin. Starting 2.6, this is bundled in the standard package.

Some slides about that here : https://www.switch.ch/aai/support/presentations/update2016/06_Attribute-Query.pdf

Shibboleth documentation : https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPHandler#NativeSPHandler-AttributeResolverHandler%28Version2.6andAbove%29

Switch documentation : https://forge.switch.ch/projects/edu-id/wiki/Swiss_edu-ID_Attribute_Query

Instructions for the Configuration of Backchannel for Service Provider >= 2.6

Edit Shibboleth Configuration (/etc/shibboleth/shibboleth2.xml) :

Add following library to <Extensions> element in <OutOfProcess> element:

<Library path="plugins.so" fatal="true"/>

This looks then like this:

<OutOfProcess>
    <Extensions>
        <Library path="plugins.so" fatal="true"/>
    </Extensions>
</OutOfProcess>


Add following library to <Extensions> element in <InProcess> element:

<Library path="plugins-lite.so" fatal="true"/>

This looks then like this:

<InProcess>
    <Extensions>
        <Library path="plugins-lite.so" fatal="true"/>
    </Extensions>
</InProcess>


Add handler of type AttributeResolver to <Sessions> element:

<Handler type="AttributeResolver" Location="/AttributeResolver" acl="127.0.0.1 ::1" />

Do :

sudo service shibd restart
sudo service apache2 restart

After that, you can query using the following syntax :

curl -k 'https://localhost/Shibboleth.sso/AttributeResolver?entityID=https%3A%2F%2Feduid.ch%2Fidp%2Fshibboleth&nameId=u0MO2QCF/pU50JKuivCDYPMToIE=&format=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Anameid-format%3Apersistent&encoding=JSON%2FCGI'

The response is

{
    "mobile" : "+41 79 *** ** **",
    "swissLibraryPersonResidence" : "CH",
    "homeOrganizationType" : "others",
    "entitlement" : "urn:mace:dir:entitlement:common-lib-terms",
    "uniqueID" : "52280*******@eduid.ch",
    "homeOrganization" : "eduid.ch",
    "mail" : "****.*****@unibas.ch",
    "persistent-id" : "https://eduid.ch/idp/shibboleth!https://www.swissbib.ch/shibboleth!u0MO2QCF/pU50JKuivCDYPMToIE=",
    "swissEduIdAssuranceLevel" : "mobile:https://eduid.ch/def/loa2;mail:https://eduid.ch/def/loa2;homePostalAddress:https://eduid.ch/def/loa2",
    "givenName" : "Hans",
    "surname" : "Mustermann",
    "homePostalAddress" : "Schöne Strasse 61$4056 Basel$Switzerland",
    "swissEduIDUsage1y" : "TRUE",
    "affiliation" : "affiliate",
    "persistent-id" : "https://eduid.ch/idp/shibboleth!https://www.swissbib.ch/shibboleth!u0MO2QCF/pU50JKuivCDYPMToIE="
}


This will give you the current values of the SAML attributes from SWITCH edu-ID.

The value of the nameId argument is the end of the persistent-id, url-encoded (for example replace + with %2B). You can find it using the user table from the vufind database :

select username from user;
+-------------------------------------------------------------------------------------------------------------+
| username                                                                                                    |
+-------------------------------------------------------------------------------------------------------------+
| https://eduid.ch/idp/shibboleth!https://www.swissbib.ch/shibboleth!u0MO2QCF/pU50JKuivCDYPMToIE=             |
+-------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

Currently, this is also stored as the persistent_id field of the national_licence_user table.

Errors

Astonishingly, when you query back-channel with a wrong id, you get an answer and no error :

curl -k 'https://localhost/Shibboleth.sso/AttributeResolver?entityID=https%3A%2F%2Feduid.ch%2Fidp%2Fshibboleth&nameId=AAAAAAAAAAAAAAAAAAAAAAa=&format=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Anameid-format%3Apersistent&encoding=JSON%2FCGI'

The response is

{
    "persistent-id" : "https://eduid.ch/idp/shibboleth!https://test.swissbib.ch/shibboleth!AAAAAAAAAAAAAAAAAAAAAAa="
}