Shibboleth V3 Customizations for CCCApply Applications

Here are some general requirements/guidelines before getting started with Shibboleth:

  • No firewall between IdP and Active Directory
  • Windows 2008 R2 preferred (if Windows)
  • 4 GB RAM, modern proccessor, ~24GB storage should be enough for: logging, OS, Apps
  • No failover needs
  • Commercial SSL cert availability for IdP  (and DNS resolution for the selected name)
  • Remote access (RDP for Windows, SSH for Linux)

Shibboleth 2 vs. Shibboleth 3 Customizations

  • Chaining is now assumed for all entires in the metadata-providers.xml configuration file
  • Prefixes such as 'afp:' for the filter entries and 'metadata:' for the metadata entry are no longer needed

Note: It's okay if the 'afp:' prefix is left alone, but leaving in the 'metadata:' prefix would not be recognized, and you'd need to add the following to the other xmlns entries in the '<MetadataProvider ' element at the top of the metadata-providers.xml file: xmlns:metadata="urn:mace:shibboleth:2.0:metadata"

 


To customize a working Shibboleth IdP to work with the OpenCCC Account Creation, CCCApply applications, and BOG Fee Waiver applications, the following changes are required to Shibboleth configuration files:


1. Define any custom attributes that will be needed (there may only be a single attribute) in attribute-resolver.xml

 

<!-- cccEduID - only needed if LDAP contains this attribute, edit sourceAttributeID as appropriate -->
 <!--
 <resolver:AttributeDefinition xsi:type="ad:Simple" id="cccEduId" sourceAttributeID="cccEduId">
  <resolver:Dependency ref="myLDAP" />
  <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:cccEduId" />
  <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:mace:dir:attribute-def:cccEduId" />
 </resolver:AttributeDefinition>
 -->

 

**There will also need to be a way of sending the correct eduPersonAffiliation attribute, with a value of 'staff'. There are many ways to do that, all are beyond the scope of this short document (unless, of course, the institution already has that attribute in their LDAP, in which case simply uncommenting the existing definition for eduPersonAffiliation in attribute-resolver.xml will do the trick).



2. Retrieve the SAML metadata for the CCCApply applications and BOG Fee Waiver application.

The Service Provider Metadata can be retrieved via the web for the following environments.
With the browser prompts you, save the file as as C:\opt\shibboleth-idp/metadata/OpenCCCSP-static-metadata.xml



3. Configure the SAML metadata for the CCC applications by editing metadata-providers.xml.

Note: Be sure to add the referenced local file with content below first.

 

 <!-- OpenCCC Metadata, locally maintained -->
 <MetadataProvider id="OpenCCCSPfileMD" xsi:type="FilesystemMetadataProvider"
        metadataFile="C:\opt\shibboleth-idp/metadata/OpenCCCSP-static-metadata.xml"
        maxRefreshDelay="P1D" />

 



4. Configure Shibboleth to release the appropriate information to the CCC applications by editing attribute-filter.xml

 

<AttributeFilterPolicy id="releaseForOpenCCCAdminSP">
        <PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://admin.openccc.net/shibboleth" />
 
        <AttributeRule attributeID="givenName">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>
  <AttributeRule attributeID="surname">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>
  <AttributeRule attributeID="email">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>
  <AttributeRule attributeID="eduPersonPrincipalName">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>
  <AttributeRule attributeID="displayName">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonAffiliation">
            <PermitValueRule xsi:type="basic:OR">
                <basic:Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true" />
                <basic:Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true" />
                <basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true" />
                <basic:Rule xsi:type="basic:AttributeValueString" value="alum" ignoreCase="true" />
                <basic:Rule xsi:type="basic:AttributeValueString" value="member" ignoreCase="true" />
                <basic:Rule xsi:type="basic:AttributeValueString" value="affiliate" ignoreCase="true" />
                <basic:Rule xsi:type="basic:AttributeValueString" value="employee" ignoreCase="true" />
                <basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in" ignoreCase="true" />
            </PermitValueRule>
        </AttributeRule>
    </AttributeFilterPolicy>
 
    <AttributeFilterPolicy id="releaseForOpenCCCControlSP">
        <PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://ci.control.openccc.net/shibboleth" />
 
        <AttributeRule attributeID="givenName">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>
  <AttributeRule attributeID="surname">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>
  <AttributeRule attributeID="email">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>
  <AttributeRule attributeID="eduPersonPrincipalName">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>
  <AttributeRule attributeID="displayName">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonAffiliation">
            <PermitValueRule xsi:type="basic:OR">
                <basic:Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true" />
                <basic:Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true" />
                <basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true" />
                <basic:Rule xsi:type="basic:AttributeValueString" value="alum" ignoreCase="true" />
                <basic:Rule xsi:type="basic:AttributeValueString" value="member" ignoreCase="true" />
                <basic:Rule xsi:type="basic:AttributeValueString" value="affiliate" ignoreCase="true" />
                <basic:Rule xsi:type="basic:AttributeValueString" value="employee" ignoreCase="true" />
                <basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in" ignoreCase="true" />
            </PermitValueRule>
        </AttributeRule>
    </AttributeFilterPolicy>



5. Send your IDP metadata file to CCCTC Implementation team.

If installed your IDP in the location used in these examples, you will have a file named ="C:\opt\shibboleth-idp/metadata/idp-metadata.xml"
Send this file to the CCCTC implementation team so they can configure the CCC to trust your IDP installation.


6. Test your implementation

Once everything has been configured and the CCCTC team has added your IDP metadata to the CCCApply applications and BOG Fee Waiver application, based on the CCC environment you are testing with, use the following URLs to test that authentication is working correctly.