Skip to content
/ shibboleth-idp-attribute-ecadata Public

ECA Auth Data -connection implementation for Shibboleth Identity Provider 3

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mpassid/shibboleth-idp-attribute-ecadata

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

55 Commits
src
src
 
 
.travis.yml
.travis.yml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pom.xml
pom.xml
 
 

Repository files navigation

ECA Data API Connector

License Build Status Coverage Status

Overview

This module is a Data Connector plugin for Shibboleth Identity Provider v5. It implements the user attribute resolution from ECA Auth Data -module, as defined in EduCloud Alliance's ECA Authentication standard. In short, this module resolves the user attributes via a specific REST API, using two attributes as a hook to the user object stored behind the API. In the ECA Auth standard context, those two attributes are AuthnID and IdP identifier.

Prerequisities and compilation

mvn package

After successful compilation, the target directory contains idp-attribute-impl-ecadata-<version>.jar and idp-attribute-impl-ecadata-<version>-tests.jar.

Deployment

After compilation, the target/idp-attribute-impl-ecadata-<version>.jar must be deployed to the IdP Web application. Depending on the IdP installation, the module deployment may be achieved for instance with the following sequence:

cp target/idp-attribute-impl-ecadata-<version>.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib
cd /opt/shibboleth-idp
sh bin/build.sh

The final command will rebuild the war-package for the IdP application.

Configuration

XML-namespace settings

In addition to the existing ones, the attribute-resolver.xml must contain the following XML-namespace declarations to activate the module:

xmlns:ecadata="fi.mpass.shibboleth.attribute.dc.rest"
xsi:schemaLocation="fi.mpass.shibboleth.attribute.dc.rest classpath:/rest-connector.xsd"

Configuration options

The following configuration attributes are available for the DataConnector itself:

  • endpointUrl: The REST API URL from where the attributes can be fetched.
  • hookAttribute: The resolved IDP attribute that contains the calculated ECA authnID.
  • idpId: The resolved IDP attribute that contains the stored IDP identifier for authnID.
  • resultAttributePrefix: The IDP attribute id prefix that will be used for the resulting attributes.
  • token: The authorization token registered to the ECA DATA API.
  • disregardTLSCertificate: Set to 'true' to skip endpoint certificate validation.

Example configuration

An example snippet of configuration in attribute-resolver.xml, which uses authnid and idpId attributes as hooks and records the attributes with prefix eca. The username returned by the REST API will be encoded to a SAML 2 attribute called urn:TODO:namespace:username:

<resolver:AttributeDefinition id="ecausername" xsi:type="ad:Simple">
    <resolver:Dependency ref="ecaDataApi" />
    <resolver:AttributeEncoder 
      xsi:type="enc:SAML2String" 
      name="urn:TODO:namespace:username" 
      friendlyName="username" 
      encodeType="false" />
</resolver:AttributeDefinition>

<resolver:DataConnector 
  id="ecaDataApi" 
  xsi:type="ecadata:RestDataConnector" 
  endpointUrl="https://eca-data.example.org/api/1/user" 
  hookAttribute="authnid" 
  idpId="idpId" 
  resultAttributePrefix="eca" 
  token="secrettoken12345" 
  disregardTLSCertificate="false">
    <resolver:Dependency ref="authnid" />
    <resolver:Dependency ref="idpId" />
</resolver:DataConnector>

About

ECA Auth Data -connection implementation for Shibboleth Identity Provider 3

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

3 watching

Forks

0 forks
Report repository

Releases 16

1.5 Latest
Apr 19, 2024
+ 15 releases

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages