Versions Compared

Old Version 5

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • No firewall between IdP and Active Directory
  • Windows 2008 R2 preferred (if Windows)
  • 4 GB RAM, modern proccessor, ~24GB storage should be enough for: logging, OS, Apps
  • No failover needs
  • Commercial SSL cert availability for IdP  (and DNS resolution for the selected name)
  • Remote access (RDP for Windows, SSH for Linux)
Info
titleShibboleth 2 vs. Shibboleth 3 Customizations
  • Chaining is now assumed for all entires in the metadata-providers.xml configuration file
  • Prefixes such as 'afp:' for the filter entries and 'metadata:' for the metadata entry are no longer needed

Note: It's okay if the 'afp:' prefix is left alone, but leaving in the 'metadata:' prefix would not be recognized, and you'd need to add the following to the other xmlns entries in the '<MetadataProvider ' element at the top of the metadata-providers.xml file: xmlns:metadata="urn:mace:shibboleth:2.0:metadata"

 


To customize a working Shibboleth IdP to work with the OpenCCC Account Creation, CCCApply applications, and BOG Fee Waiver applications, the following changes are required to Shibboleth configuration files:


1. Define any custom attributes that will be needed (there may only be a single attribute) in attribute-resolver.xml

 

Code Block
languagexml
<!-- cccEduID - only needed if LDAP contains this attribute, edit sourceAttributeID as appropriate -->

...


 <!--

...


 <resolver:AttributeDefinition xsi:type="ad:Simple" id="cccEduId" sourceAttributeID="cccEduId">

...


  <resolver:Dependency ref="myLDAP" />

...


  <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:cccEduId" />

...


  <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:mace:dir:attribute-def:cccEduId" />

...


 </resolver:AttributeDefinition>

...


 -->

 

**There will also need to be a way of sending the correct eduPersonAffiliation attribute, with a value of 'staff'. There are many ways to do that, all are beyond the scope of this short document (unless, of course, the institution already has that attribute in their LDAP, in which case simply uncommenting the existing definition for eduPersonAffiliation in attribute-resolver.xml will do the trick).

...



3. Configure the SAML metadata for the CCC applications by editing relyingmetadata-partyproviders.xmlInside the "chaining" <MetadataProvider> section - be .

Note: Be sure to add the referenced local file with content below first

...

<.

 

Code Block
languagexml
 <!-- OpenCCC Metadata, locally maintained -->

...


 <MetadataProvider id="OpenCCCSPfileMD" xsi:type="

...

FilesystemMetadataProvider"

...


        metadataFile="C:\opt\shibboleth-idp/metadata/OpenCCCSP-static-metadata.xml"

...


        maxRefreshDelay="P1D" />

 



4. Configure Shibboleth to release the appropriate information to the CCC applications by editing attribute-filter.xml

...

 

Code Block
languagexml
<AttributeFilterPolicy id="releaseForOpenCCCAdminSP">

...


        <PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://admin.openccc.net/shibboleth" />

...


 
        <AttributeRule attributeID="givenName">

...


            <PermitValueRule xsi:type="basic:ANY" />

...


        </

...

AttributeRule>
  <AttributeRule attributeID="surname">

...


            <PermitValueRule xsi:type="basic:ANY" />

...


        </

...

AttributeRule>
  <AttributeRule attributeID="email">

...


            <PermitValueRule xsi:type="basic:ANY" />

...


        </

...

AttributeRule>
  <AttributeRule attributeID="eduPersonPrincipalName">

...


            <PermitValueRule xsi:type="basic:ANY" />

...


        </

...

AttributeRule>
  <AttributeRule attributeID="displayName">

...


            <PermitValueRule xsi:type="basic:ANY" />

...


        </

...

AttributeRule>
        <AttributeRule attributeID="eduPersonAffiliation">

...


            <PermitValueRule xsi:type="basic:OR">

...


                <basic:Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true" />

...


                <basic:Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true" />

...


                <basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true" />

...


                <basic:Rule xsi:type="basic:AttributeValueString" value="alum" ignoreCase="true" />

...


                <basic:Rule xsi:type="basic:AttributeValueString" value="member" ignoreCase="true" />

...


                <basic:Rule xsi:type="basic:AttributeValueString" value="affiliate" ignoreCase="true" />

...


                <basic:Rule xsi:type="basic:AttributeValueString" value="employee" ignoreCase="true" />

...


                <basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in" ignoreCase="true" />

...


            </

...

PermitValueRule>
        </

...

AttributeRule>
    </

...

AttributeFilterPolicy>
 
    <AttributeFilterPolicy id="releaseForOpenCCCControlSP">

...


        <PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://ci.control.openccc.net/shibboleth" />

...


 
        <AttributeRule attributeID="givenName">

...


            <PermitValueRule xsi:type="basic:ANY" />

...


        </

...

AttributeRule>
  <AttributeRule attributeID="surname">

...


            <PermitValueRule xsi:type="basic:ANY" />

...


        </

...

AttributeRule>
  <AttributeRule attributeID="email">

...


            <PermitValueRule xsi:type="basic:ANY" />

...


        </

...

AttributeRule>
  <AttributeRule attributeID="eduPersonPrincipalName">

...


            <PermitValueRule xsi:type="basic:ANY" />

...


        </

...

AttributeRule>
  <AttributeRule attributeID="displayName">

...


            <PermitValueRule xsi:type="basic:ANY" />

...


        </

...

AttributeRule>
        <AttributeRule attributeID="eduPersonAffiliation">

...


            <PermitValueRule xsi:type="basic:OR">

...


                <basic:Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true" />

...


                <basic:Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true" />

...


                <basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true" />

...


                <basic:Rule xsi:type="basic:AttributeValueString" value="alum" ignoreCase="true" />

...


                <basic:Rule xsi:type="basic:AttributeValueString" value="member" ignoreCase="true" />

...


                <basic:Rule xsi:type="basic:AttributeValueString" value="affiliate" ignoreCase="true" />

...


                <basic:Rule xsi:type="basic:AttributeValueString" value="employee" ignoreCase="true" />

...


                <basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in" ignoreCase="true" />

...


            </

...

PermitValueRule>
        </

...

AttributeRule>
    </

...

AttributeFilterPolicy>



5. Send your IDP metadata file to CCCTC Implementation team.

...

Pilot Administrator

https://<idp hostname>/idp/profile/SAML2/Unsolicited/SSO?providerId=

https://ci.control.openccc.net/shibboleth&shire=https://ci.control.openccc.net/Shibboleth.sso/SAML2/POST&target=https://ci.control.openccc.net/qa/admin/

Pilot Report Center

https://<idp hostname>/idp/profile/SAML2/Unsolicited/SSO?providerId=

https://ci.control.openccc.net/shibboleth&shire=https://ci.control.openccc.net/Shibboleth.sso/SAML2/POST&target=https://ci.control.openccc.net/jasperserver-pro/

Production Administrator

https://<idp hostname>/idp/profile/SAML2/Unsolicited/SSO?providerId=

https://admin.openccc.net/shibboleth&shire=https://admin.openccc.net/Shibboleth.sso/SAML2/POST&target=https://admin.openccc.net/admin/

Production Report Center

https://<idp hostname>/idp/profile/SAML2/Unsolicited/SSO?providerId=

https://admin.openccc.net/shibboleth&shire=https://admin.openccc.net/Shibboleth.sso/SAML2/POST&target=https://admin.openccc.net/jasperserver-pro/