Profile Configurations
Section Topics
- SAML and OIDC profile configurations
- Profile configuration options
- Default vs. RP-specific profile configurations
SAML and OIDC profile configurations
The profile configuration file is /opt/shibboleth-idp/conf/relying-party.xml
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" default-init-method="initialize" default-destroy-method="destroy"> <!-- Unverified RP configuration, defaults to no support for any profiles. Add <ref> elements to the list to enable specific default profile settings (as below), or create new beans inline to override defaults. "Unverified" typically means the IdP has no metadata, or equivalent way of assuring the identity and legitimacy of a requesting system. To run an "open" IdP, you can enable profiles here. --> <bean id="shibboleth.UnverifiedRelyingParty" parent="RelyingParty"> <property name="profileConfigurations"> <list> <!-- <bean parent="SAML2.SSO" p:encryptAssertions="false" /> --> </list> </property> </bean> <!-- Default configuration, with default settings applied for all profiles, and enables the attribute-release consent flow. --> <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty"> <property name="profileConfigurations"> <list> <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" /> <ref bean="SAML1.AttributeQuery" /> <ref bean="SAML1.ArtifactResolution" /> <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" /> <ref bean="SAML2.ECP" /> <ref bean="SAML2.Logout" /> <ref bean="SAML2.AttributeQuery" /> <ref bean="SAML2.ArtifactResolution" /> <ref bean="Liberty.SSOS" /> </list> </property> </bean> ...
The OIDC profile configuration file is /opt/shibboleth-idp/conf/oidc-relying-party.xml
... <!-- OIDC Profile Configurations. --> <bean id="OIDC.SSO" class="org.geant.idpextension.oidc.config.OIDCCoreProtocolConfiguration" p:securityConfiguration-ref="%{idp.security.oidc.config:shibboleth.oidc.DefaultSecurityConfiguration}" p:iDTokenLifetime="%{idp.oidc.idToken.defaultLifetime:PT1H}" p:accessTokenLifetime="%{idp.oidc.accessToken.defaultLifetime:PT10M}" p:authorizeCodeLifetime="%{idp.oidc.authorizeCode.defaultLifetime:PT5M}" p:refreshTokenLifetime="%{idp.oidc.refreshToken.defaultLifetime:PT2H}" p:servletRequest-ref="shibboleth.HttpServletRequest" p:tokenEndpointAuthMethods="%{idp.oidc.tokenEndpointAuthMethods:client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt}" /> <bean id="OIDC.UserInfo" class="org.geant.idpextension.oidc.config.OIDCUserInfoConfiguration" p:securityConfiguration-ref="%{idp.security.oidc.config:shibboleth.oidc.DefaultSecurityConfiguration}" p:servletRequest-ref="shibboleth.HttpServletRequest" /> <bean id="OIDC.Registration" class="org.geant.idpextension.oidc.config.OIDCDynamicRegistrationConfiguration" p:securityConfiguration-ref="%{idp.security.oidc.config:shibboleth.oidc.DefaultSecurityConfiguration}" p:servletRequest-ref="shibboleth.HttpServletRequest" p:tokenEndpointAuthMethods="%{idp.oidc.dynreg.tokenEndpointAuthMethods:client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt}" /> <bean id="OIDC.Configuration" class="org.geant.idpextension.oidc.config.OIDCProviderInformationConfiguration" p:securityConfiguration-ref="%{idp.security.oidc.config:shibboleth.oidc.DefaultSecurityConfiguration}" p:servletRequest-ref="shibboleth.HttpServletRequest"/> <bean id="OAUTH2.Revocation" class="org.geant.idpextension.oauth2.config.OAuth2TokenRevocationConfiguration" p:securityConfiguration-ref="%{idp.security.oidc.config:shibboleth.oidc.DefaultSecurityConfiguration}" p:servletRequest-ref="shibboleth.HttpServletRequest"/> ...
The main configuration file is /opt/shibboleth-idp/conf/relying-party.xml
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" default-init-method="initialize" default-destroy-method="destroy"> <import resource="oidc-relying-party.xml"/> <bean id="shibboleth.UnverifiedRelyingParty" p:responderIdLookupStrategy-ref="profileResponderIdLookupFunction" parent="RelyingParty"> <property name="profileConfigurations"> <list> <bean parent="OIDC.Registration" /> <bean parent="OIDC.Configuration" /> </list> </property> </bean> <bean id="shibboleth.DefaultRelyingParty" p:responderIdLookupStrategy-ref="profileResponderIdLookupFunction" parent="RelyingParty"> <property name="profileConfigurations"> <list> <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" /> <ref bean="SAML2.Logout" /> <bean parent="OIDC.SSO" p:postAuthenticationFlows="attribute-release" /> <bean parent="OIDC.UserInfo"/> <bean parent="OAUTH2.Revocation"/> </list> </property> </bean> ...
Profile configuration options
- https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki/ProfileConfigurations
- https://wiki.shibboleth.net/confluence/display/IDP30/RelyingPartyConfiguration
- Shared options with all configurations
- Standard security configuration and our extensions.
- Used in various ways, depending on the context
- OIDC.Configuration: signing + encryption configuration (credentials, algorithms) for openid-configuration
- OIDC.Registration: which signing + encryption configuration details are supported
- OIDC.SSO: which signing + encryption configuration is enabled
- Used in various ways, depending on the context
- Inbound interceptor flows
- Outbound interceptor flows
- Standard security configuration and our extensions.
- Client authenticable configuration options for OIDC.SSO, OIDC.Registration and OAUTH2.Revocation
- Endpoint authentication methods
- Flow-aware configuration options for OIDC.SSO and OIDC.Registration
- Flags to enable implicit, hybrid and authorization code flows
- Flag to enable refresh tokens
- Flow-specific options
- Multiple options especially for OIDC.SSO and OIDC.Registration (lifetimes, etc)
- Post authentication flows, default authentication methods for OIDC.SSO
- Shared options with all configurations
Default vs. RP-specific profile configuration
- Default profile configurations enable wide set of features
Standard shibboleth.RelyingPartyOverrides mechanism can be used with OIDC RPs too
Snippet of /opt/shibboleth-idp/conf/relying-party.xml... <util:list id="shibboleth.RelyingPartyOverrides"> <bean parent="RelyingPartyByName" p:responderIdLookupStrategy-ref="profileResponderIdLookupFunction" c:relyingPartyIds="test_rp"> <property name="profileConfigurations"> <list> <bean parent="OIDC.SSO" /> </list> </property> </bean> </util:list> ...
- Some of the profile configuration options have overlapping claims in the client metadata
- E.g. token endpoint authentication methods
Exercises
Add additional audience test_api for all authenticated relying parties
Verify that the additional audience is visible in the id_token.
Remove postAuthenticationFlows and additionalAudiencesForIdToken settings for test_rp.
Are the additional audiences now visible for test_rp as they are defined in shibboleth.DefaultRelyingParty? Why?
What happens if you configure that only private_key_jwt is accepted as the token endpoint authentication method for test_rp?
The goal of this exercise is to configure the test_rp application to be only accessible for teppo2 user. Shibboleth IdP provides context-check interceptor for this purpose.
Add context-check post authentication flow to the relying party configuration
Edit /opt/shibboleth-idp/conf/intercept/context-check-intercept-config.xml for your needs. HINT! The existing file contains good basis, find out from attribute-resolver which is the username in your configuration.
Restart IDP service and try to access the test RP with teppo.