/
Attributes for the Proxy: Shibboleth IdP v2

Attributes for the Proxy: Shibboleth IdP v2

Jul 20, 2020

SAML EntityIDs for the Proxy

There are two instances of the CCC SSO Proxy that you must configure attribute release to: a Pilot and a Production instance. The entityID for each is:

Proxy InstanceProxy
Pilot Proxyhttps://sso.pilot.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php
Production Proxyhttps://sso.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php
See below for the set of rules that need to be added to your IdP's conf/attribute-filter.xml file to release the needed attributes to the above entityIDs. And if you are running your Shibboleth IdPv2 server on Linux instead of Windows, then anywhere you see a path in the below sample configurations that starts with 'C:\opt\shibboleth-idp' , change it to just '/opt/shibboleth-idp'.


Metadata for the Proxy

Metadata for the Proxy is contained within the the CCC Central Metadata feed that contains metadata for many CCC-wide services. You should add the following configuration to your college/district IdP's conf/relying-party.xml file, which will automatically keep checking (every few hours) whether there is an updated file to download, and if so, download it and keep a local "backing file" on your IdP. 

	    <!-- Central CCC distribution of metadata -->
        <metadata:MetadataProvider id="CCC_Central_Metadata"
                              xsi:type="metadata:FileBackedHTTPMetadataProvider"
                              backingFile="C:\opt\shibboleth-idp/metadata/ccc-central-metadata.xml"
                              metadataURL="http://saml.ccctcportal.org/metadata/ccc-metadata.xml">
              <metadata:MetadataFilter xsi:type="metadata:ChainingFilter">
                <metadata:MetadataFilter xsi:type="RequiredValidUntil" />
                <metadata:MetadataFilter xsi:type="SignatureValidation"
                    trustEngineRef="shibboleth.MetadataTrustEngine"
                    requireSignedMetadata="true" />
                <metadata:MetadataFilter xsi:type="metadata:EntityRoleWhiteList">
                    <metadata:RetainedRole>samlmd:SPSSODescriptor</metadata:RetainedRole>
                </metadata:MetadataFilter>
              </metadata:MetadataFilter>
        </metadata:MetadataProvider>

As you can tell from the above, the CCC Central Metadata feed is available at:  http://saml.ccctcportal.org/metadata/ccc-metadata.xml. Note that part of the above configuration is verifying the "signature" on that metadata file, and to do that, you first need to add the following 'security:TrustEngine' config later on in that same conf/relying-party.xml file (in the section where you'll see an existing comment: "<!-- Trust engine used to evaluate the signature on loaded metadata. -->"): 

    <!-- Trust engine used to evaluate the signature on CCC loaded metadata. -->
    <security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
        <security:Credential id="CCCmetadataCredentials" xsi:type="security:X509Filesystem">
            <security:Certificate>C:\opt\shibboleth-idp/credentials/ccctc-md-cert.pem</security:Certificate>
        </security:Credential>
    </security:TrustEngine>


And then you need to create a file containing the referenced certificate, a new file in your IdP's credentials/ directory, a file named 'credentials/ccctc-md-cert.pem' with the following content:

-----BEGIN CERTIFICATE-----
MIIELTCCAxWgAwIBAgIJAKshFHHXXhrGMA0GCSqGSIb3DQEBBQUAMGwxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJDQTERMA8GA1UEBxMIT3JvdmlsbGUxHjAcBgNVBAoT
FUNDQyBUZWNobm9sb2d5IENlbnRlcjEdMBsGA1UEAxMUc2FtbC5jY2N0Y3BvcnRh
bC5vcmcwHhcNMTYwMTE1MTkxNTEwWhcNMjEwMTEzMTkxNTEwWjBsMQswCQYDVQQG
EwJVUzELMAkGA1UECBMCQ0ExETAPBgNVBAcTCE9yb3ZpbGxlMR4wHAYDVQQKExVD
Q0MgVGVjaG5vbG9neSBDZW50ZXIxHTAbBgNVBAMTFHNhbWwuY2NjdGNwb3J0YWwu
b3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2Ox2MGZCIimvKXZ6
DsmfQajFY0Y3JKvRtqdBmlDo2ndtLNFIvlYzIYehYfwFdJJ3fcnkYWYm/Q1UWC1o
MnQtL1dh1x/ZHPArZEsBGNEvQjuhk9ztT43A/5sB7GHpM1CM0cZl32UdB49ETT3T
+f/I6ZDBE9MUPJpg0UjV1xurSig1mZHcY+As0rQwreV9/b2mnIn9St6tJAXBthfC
wDdpVcLXG3es2VS1MF3RfSRNQkKZT/nQO5f1yFNbVrOfiDB1zydhYMXzXJDh3OMp
gByOi9/PHUSaXdVs3xwF1Kd7HJQJf+iOgGGUUo3Tu9ADioJp07jGK/6uWMnaymSo
P/G5nQIDAQABo4HRMIHOMB0GA1UdDgQWBBQl3onu5BAL9in4WHshPJpxSd2P+DCB
ngYDVR0jBIGWMIGTgBQl3onu5BAL9in4WHshPJpxSd2P+KFwpG4wbDELMAkGA1UE
BhMCVVMxCzAJBgNVBAgTAkNBMREwDwYDVQQHEwhPcm92aWxsZTEeMBwGA1UEChMV
Q0NDIFRlY2hub2xvZ3kgQ2VudGVyMR0wGwYDVQQDExRzYW1sLmNjY3RjcG9ydGFs
Lm9yZ4IJAKshFHHXXhrGMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB
AHaZ7znhgCPD0GwvU/toYFXxLOLedbnPB9CmebJSc6pGWg+uEGCaMZrpYbIpaHqR
tk3repXsSuZ3Q6yGddNyjelND+88kIak2A3xl/dS1yhvo9MusrKzis4VO1zgXmDS
FqqGw20Cc/xNdD6sTWEIh5fq/gaGrVv1yBGtGrvtGXIfQ1Nwin1GF07s+M7lkmVz
bMRrobcqOK0WNye1EdXw8vk4owpdlTmgos/wSiQi8jhVAilsuzAk6h7cAQuoFyqA
HY8tF8nsz3skKoDgZVRJmzesPkRKRszYtC/aUDlZje9uHQINKuCcCLFKI1paYiHR
BeRdoPK3OIBsGglKA7aC3lk=
-----END CERTIFICATE-----


Configure the Attributes

Make sure you understand and have all the following attributes available.

Simple Name and the SAMLv2 name when sent in the SAMLv2 responseShort descriptionSample value(s)Description

eduPersonPrincipalName (EPPN)


urn:oid:1.3.6.1.4.1.5923.1.1.1.6

The primary federated identifier of a given user from a college/district IdP.

jsmith@college.edu

12345678@college.edu


EPPN has the syntax of an email address, but it should be considered a "globally unique federated identifier" rather than an email address. It is generally the most important attribute to be shared with federated services. Note that the value of EPPN does not have to match what the user fills in as their username when they login, and the user does not need to know what their EPPN is, as it is shared between the IdP and the service. It should be unique, rarely change, and not be reassigned to another person.

eduPersonAffiliation

urn:oid:1.3.6.1.4.1.5923.1.1.1.1

Role within the institution
  • staff
  • student
  • member

All of the roles a given person has within the college. This is the only attribute listed here that is intended to have multiple values. All the rest are expected to have a single value.

eduPersonPrimaryAffiliation

urn:oid:1.3.6.1.4.1.5923.1.1.1.5

Primary role at the institution
  • staff
  • student
  • faculty

Must be one of the values specified in eduPersonAffilliation. If the eduPersonAffiliation attribute has many values, the primary affiliation should reflect the role to be associated with services that differentiate based on this value (such as the CCC Portal).

uid

urn:oid:0.9.2342.19200300.100.1.1

UsernamejsmithThis is usually the value that the user fills in as their username when they login. If you are using AD, the usual attribute you want to use to populate uid is the sAMAccountName attribute.

givenName ..... urn:oid:2.5.4.42

First NameJane

sn (surname) .... urn:oid:2.5.4.4

Last NameSmith

displayName

urn:oid:2.16.840.1.113730.3.1.241

Full name to display

Jane Smith

mail (email)

urn:oid:0.9.2342.19200300.100.1.3

Email Addressjane.smith@college.edu

cccId

https://www.openccc.net/

saml/attributes/cccId


Unique id for a student within the CCC system
The CCCID is a critical attribute for students. If not specified, but required for a portal or service action, the CCCID will be looked up via the EPPN. If no match is found, the action cannot be performed until the user creates a CCCID via the OpenCCC portlet.

street

urn:oid:2.5.4.9

Street address

303 Mulberry St.


locality .... urn:oid:2.5.4.7CityMetropolis
st .... urn:oid:2.5.4.8

State or Province name

CA
postalCode .... urn:oid:2.5.4.17Postal or zip code12345
homePhone .... urn:oid:0.9.2342.19200300.100.1.20Home Phone Number+1 212 555 1234
mobile .... urn:oid:0.9.2342.19200300.100.1.41Mobile Phone Number+1 775 555 6789


Release Attributes to Proxy Instances

The last step is to configure your college/district IdP to release the above attributes to the Proxy entityIDs. To do this, edit your IdP's conf/attribute-filter.xml file and add the lines below. You will have to verify whether you've configured your IdP's conf/attribute-resolver.xml file to generate the following attributes with the same "id" as referenced below, and if not, adjust the below to match the "id" you used.


    <!-- 
         Release all required and optional attributes, for any service, 
         to the CCC IdP Proxy, so it in turn can release only the
         needed attributes to the services on the other side
         of the IdP Proxy. All attributes will not be sent to all services,
         just the needed ones for a given service. The attributes here should
         constitute a "union" of all possible attributes for any service.
    -->
    <afp:AttributeFilterPolicy id="CCCWideReleaseForIdPProxy">
        <afp:PolicyRequirementRule xsi:type="basic:OR">
            <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://sso.ci.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php"/>
            <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://sso.test.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php"/>
            <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://sso.pilot.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php"/>
            <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://sso.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php"/>
        </afp:PolicyRequirementRule>
        <afp:AttributeRule attributeID="eduPersonPrincipalName">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="uid">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="email">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="givenName">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="surname">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="displayName">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="eduPersonAffiliation">
            <afp:PermitValueRule xsi:type="basic:OR">
                <basic:Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true"/>
                <basic:Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true"/>
                <basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true"/>
                <basic:Rule xsi:type="basic:AttributeValueString" value="alum" ignoreCase="true"/>
                <basic:Rule xsi:type="basic:AttributeValueString" value="member" ignoreCase="true"/>
                <basic:Rule xsi:type="basic:AttributeValueString" value="affiliate" ignoreCase="true"/>
                <basic:Rule xsi:type="basic:AttributeValueString" value="employee" ignoreCase="true"/>
                <basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in" ignoreCase="true"/>
            </afp:PermitValueRule>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="eduPersonPrimaryAffiliation">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>

        <!-- CCC specific attributes -->
        <afp:AttributeRule attributeID="cccId">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="cccMisCode">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>

        <!-- Less likely attributes to be populated, but release if available -->
        <afp:AttributeRule attributeID="mobileNumber">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="homePhone">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="telephoneNumber">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="postalAddress">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="street">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="locality">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="stateProvince">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="postalCode">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
    </afp:AttributeFilterPolicy>