1:04 a.m.
So here's the next question, related to passing unmodified assertions from SATOSA to a
SP, specifically COmanage and Shibboleth: What's the right way to bypass the scope
checks Shibboleth usually performs on ePPN/ePTID/ePUID? I'm using the following
PrimaryIdentifier configuration:
```yaml
module: primary_identifier.PrimaryIdentifier
name: PrimaryIdentifier
config:
## look for identifiers in this order (first match wins)
ordered_identifier_candidates:
- attribute_names:
- epuid
- attribute_names:
- eppn
- name_id
name_id_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
- attribute_names:
- eppn
- edupersontargetedid
- attribute_names:
- eppn
- add_scope: issuer_entityid
attribute_names:
- name_id
name_id_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
- add_scope: issuer_entityid
attribute_names:
- edupersontargetedid
primary_identifier:
"uid"
clear_input_attributes:
false
```
Best wishes,
Matthew
--
"The lyf so short, the craft so longe to lerne."
8:39 a.m.
Hi,
So here's the next question, related to passing
unmodified assertions
from SATOSA to a SP, specifically COmanage and Shibboleth: What's the
right way to bypass the scope checks Shibboleth usually performs on
ePPN/ePTID/ePUID?
Please allow me to take the conversation up one level.
A typical use case is to put COmanage behind SATOSA since it is one of
the SPs/services. But you want to treat the COmanage SP differently than
the other SPs.
For the other SPs you want SATOSA to find the primary identifier from
the assertion/attributes sent by the campus IdP, then use it to look up
the user in an attribute authority (usually LDAP), find attributes like
givenName, sn, and email and add those attributes in the assertion sent
to the SP. The reason is that the attributes managed by the VO through
COmanage are usually what should be sent to those downstream SPs.
The primary identifier used to lookup the user in the attribute
authority (LDAP) is usually the ePPN, ePTID, ePUID, and so on.
For the COmanage SP, however, you want to find the primary identifier,
but not have it do any lookup in LDAP. Instead you want to have COmanage
receive the primary identifier(s) so it can provision it/them to the
directory (ie. LDAP).
You might be tempted to have ePPN/ePTID/ePUID sent to the COmanage SP by
just passing it through. But I would not do that. The primary reason is
the scoping issue you are seeing.
Instead of just passing through ePPN/ePTID/ePUID I would configure
SATOSA for the COmanage SP (with an override) to put ePPN/ePTID/ePUID
into a different SAML attribute, one that is not scoped. A good choice
would be one based on the "new" attributes defined in voPerson, but you
can use whichever SAML attribute you like. You just need to coordinate
it between SATOSA and the COmanage SP.
Then configure the COmanage SP to consume it and configure the COmanage
Organizational Identity EnvSource to consume it from the environment.
Then the Organizational Identity in COmanage will have the identifier(s)
as asserted by the campus, but you will have avoided "messing around"
with the scope.
If I did not anticipate your use case and you really need to have
ePPN/ePTID,ePUID passed through as scoped attributes, then my
apologies...
Thanks,
Scott
6:56 p.m.
Thank you both, Niels and Scott! I think I understand now:
1. If I were to pass ePUID/ePPN/ePTID/etc. to Shibboleth (COmanage), I
would need to recapitulate in Shibboleth the identifier
selection/composition logic implemented by PrimaryIdentifier.
2. Since I'm using the PrimaryIdentifier micro service, the proper
identifier is already in the `uid` SATOSA internal attribute.
3. I can map the `uid` internal attribute to an unscoped SAML attribute
via internal_attributes.yaml.
4. Because I previously reverted to the default name_form of
`urn:oasis:names:tc:SAML:2.0:attrname-format:uri`, if I map the `uid`
internal attribute to the `uid` SAML attribute, SATOSA/pysaml2 will emit
the urn:oid:0.9.2342.19200300.100.1.1 attribute from the saml_uri map,
not the urn:mace:dir:attribute-def:uid attribute from the basic map.
Part of what confused me so much was the process of mapping a SATOSA
internal attribute to a pysaml2 friendly name and mapping a pysaml2
friendly name to a SAML attribute name, the latter which depends on the
SAML attribute name format.
Thanks again!
Matthew
--
I FIGHT FOR THE USERS
2403
days inactive
2405
days old
2 comments
2 participants
participants (2)
-
skoranda@gmail.com -
xenophon@irtnog.org