...
1. Define any custom attributes that will be needed (there may only be a single attribute) in attribute-resolver.xml
Code Block | ||
---|---|---|
| ||
<!-- cccEduID - only needed if LDAP contains this attribute, edit sourceAttributeID as appropriate --> |
...
<!-- |
...
<resolver:AttributeDefinition xsi:type="ad:Simple" id="cccEduId" sourceAttributeID="cccEduId"> |
...
<resolver:Dependency ref="myLDAP" /> |
...
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:cccEduId" /> |
...
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:mace:dir:attribute-def:cccEduId" /> |
...
</resolver:AttributeDefinition> |
...
--> |
**There will also need to be a way of sending the correct eduPersonAffiliation attribute, with a value of 'staff'. There are many ways to do that, all are beyond the scope of this short document (unless, of course, the institution already has that attribute in their LDAP, in which case simply uncommenting the existing definition for eduPersonAffiliation in attribute-resolver.xml will do the trick).
...
3. Configure the SAML metadata for the CCC applications by editing relyingmetadata-partyproviders.xmlInside the "chaining" <MetadataProvider> section - be .
Note: Be sure to add the referenced local file with content below first
...
<.
Code Block | ||
---|---|---|
| ||
<!-- OpenCCC Metadata, locally maintained --> |
...
<MetadataProvider id="OpenCCCSPfileMD" xsi:type=" |
...
FilesystemMetadataProvider" |
...
metadataFile="C:\opt\shibboleth-idp/metadata/OpenCCCSP-static-metadata.xml" |
...
maxRefreshDelay="P1D" /> |
4. Configure Shibboleth to release the appropriate information to the CCC applications by editing attribute-filter.xml
...
Code Block | ||
---|---|---|
| ||
<AttributeFilterPolicy id="releaseForOpenCCCAdminSP"> |
...
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://admin.openccc.net/shibboleth" /> |
...
<AttributeRule attributeID="givenName"> |
...
<PermitValueRule xsi:type="basic:ANY" /> |
...
</ |
...
AttributeRule> <AttributeRule attributeID="surname"> |
...
<PermitValueRule xsi:type="basic:ANY" /> |
...
</ |
...
AttributeRule> <AttributeRule attributeID="email"> |
...
<PermitValueRule xsi:type="basic:ANY" /> |
...
</ |
...
AttributeRule> <AttributeRule attributeID="eduPersonPrincipalName"> |
...
<PermitValueRule xsi:type="basic:ANY" /> |
...
</ |
...
AttributeRule> <AttributeRule attributeID="displayName"> |
...
<PermitValueRule xsi:type="basic:ANY" /> |
...
</ |
...
AttributeRule> <AttributeRule attributeID="eduPersonAffiliation"> |
...
<PermitValueRule xsi:type="basic:OR"> |
...
<basic:Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true" /> |
...
<basic:Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true" /> |
...
<basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true" /> |
...
<basic:Rule xsi:type="basic:AttributeValueString" value="alum" ignoreCase="true" /> |
...
<basic:Rule xsi:type="basic:AttributeValueString" value="member" ignoreCase="true" /> |
...
<basic:Rule xsi:type="basic:AttributeValueString" value="affiliate" ignoreCase="true" /> |
...
<basic:Rule xsi:type="basic:AttributeValueString" value="employee" ignoreCase="true" /> |
...
<basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in" ignoreCase="true" /> |
...
</ |
...
PermitValueRule> </ |
...
AttributeRule> </ |
...
AttributeFilterPolicy> <AttributeFilterPolicy id="releaseForOpenCCCControlSP"> |
...
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://ci.control.openccc.net/shibboleth" /> |
...
<AttributeRule attributeID="givenName"> |
...
<PermitValueRule xsi:type="basic:ANY" /> |
...
</ |
...
AttributeRule> <AttributeRule attributeID="surname"> |
...
<PermitValueRule xsi:type="basic:ANY" /> |
...
</ |
...
AttributeRule> <AttributeRule attributeID="email"> |
...
<PermitValueRule xsi:type="basic:ANY" /> |
...
</ |
...
AttributeRule> <AttributeRule attributeID="eduPersonPrincipalName"> |
...
<PermitValueRule xsi:type="basic:ANY" /> |
...
</ |
...
AttributeRule> <AttributeRule attributeID="displayName"> |
...
<PermitValueRule xsi:type="basic:ANY" /> |
...
</ |
...
AttributeRule> <AttributeRule attributeID="eduPersonAffiliation"> |
...
<PermitValueRule xsi:type="basic:OR"> |
...
<basic:Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true" /> |
...
<basic:Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true" /> |
...
<basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true" /> |
...
<basic:Rule xsi:type="basic:AttributeValueString" value="alum" ignoreCase="true" /> |
...
<basic:Rule xsi:type="basic:AttributeValueString" value="member" ignoreCase="true" /> |
...
<basic:Rule xsi:type="basic:AttributeValueString" value="affiliate" ignoreCase="true" /> |
...
<basic:Rule xsi:type="basic:AttributeValueString" value="employee" ignoreCase="true" /> |
...
<basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in" ignoreCase="true" /> |
...
</ |
...
PermitValueRule> </ |
...
AttributeRule> </ |
...
AttributeFilterPolicy> |
5. Send your IDP metadata file to CCCTC Implementation team.
...