Page History

1. Add additional audience test_api for all authenticated relying parties

   Code Block
   theme RDark title Snippet of /opt/shibboleth-idp/conf/relying-party.xml collapse true
   ... <bean id="shibboleth.DefaultRelyingParty" p:responderIdLookupStrategy-ref="profileResponderIdLookupFunction" parent="RelyingParty"> <property name="profileConfigurations"> <list> <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" /> <ref bean="SAML2.Logout" /> <bean parent="OIDC.SSO" p:postAuthenticationFlows="attribute-release" p:additionalAudiencesForIdToken="test_api" /> <bean parent="OIDC.UserInfo"/> <bean parent="OAUTH2.Revocation"/> </list> </property> </bean> ...

   
   

2. Verify that the additional audience is visible in the id_token.

   Code Block
   theme RDark title Hints, Tips and Result collapse true
   [OIDC_CLAIM_aud] => test_rp,test_api

   
   

1. Remove postAuthenticationFlows and additionalAudiencesForIdToken settings for test_rp.

   Code Block
   theme RDark title Snippet of /opt/shibboleth-idp/conf/relying-party.xml collapse true
   ... <util:list id="shibboleth.RelyingPartyOverrides"> <bean parent="RelyingPartyByName" p:responderIdLookupStrategy-ref="profileResponderIdLookupFunction" c:relyingPartyIds="test_rp"> <property name="profileConfigurations"> <list> <bean parent="OIDC.SSO" /> </list> </property> </bean> </util:list> ...

   
   

2. Are the additional audiences now visible for test_rp as they are defined in shibboleth.DefaultRelyingParty? Why?

   Code Block
   theme RDark title Hints, Tips and Result collapse true
   [OIDC_CLAIM_aud] => test_rp They are not, because the settings from OICD.SSO defined in oidc-relying-party.xml are inherited, not OIDC.SSO settings from shibboleth.DefaultRelyingParty.

   
   

3. What happens if you configure that only private_key_jwt is accepted as the token endpoint authentication method for test_rp?

   Code Block
   theme RDark title Snippet of /opt/shibboleth-idp/conf/relying-party.xml collapse true
   ... <util:list id="shibboleth.RelyingPartyOverrides"> <bean parent="RelyingPartyByName" p:responderIdLookupStrategy-ref="profileResponderIdLookupFunction" c:relyingPartyIds="test_rp"> <property name="profileConfigurations"> <list> <bean parent="OIDC.SSO" p:tokenEndpointAuthMethods="private_key_jwt" /> </list> </property> </bean> </util:list> ...

   
   

   Code Block
   theme RDark title Snippet of /opt/shibboleth-idp/logs/idp-process.log collapse true
   ... 2018-10-04 12:45:49,839 - DEBUG [org.geant.idpextension.oidc.profile.impl.InitializeRelyingPartyContext:170] - Attaching RelyingPartyContext for rp test_rp 2018-10-04 12:45:49,839 - DEBUG [org.geant.idpextension.oidc.profile.impl.InitializeRelyingPartyContext:175] - Profile Action InitializeRelyingPartyContext: Setting the rp context verified 2018-10-04 12:45:49,840 - DEBUG [net.shibboleth.idp.profile.impl.SelectRelyingPartyConfiguration:136] - Profile Action SelectRelyingPartyConfiguration: Found relying party configuration EntityNames[test_rp,] for request 2018-10-04 12:45:49,843 - WARN [org.geant.idpextension.oidc.profile.impl.ValidateEndpointAuthentication:250] - Profile Action ValidateEndpointAuthentication: The requested method client_secret_basic is not enabled 2018-10-04 12:45:49,843 - WARN [org.geant.idpextension.oidc.profile.impl.ValidateEndpointAuthentication:230] - Profile Action ValidateEndpointAuthentication: Unsupported client authentication method client_secret_basic 2018-10-04 12:45:49,853 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: AccessDenied ...

   
   

The goal of this exercise is to configure the test_rp application to be only accessible for teppo2 user. Shibboleth IdP provides context-check interceptor for this purpose.

1. Add context-check post authentication flow to the relying party configuration

   Code Block
   theme RDark title Snippet of /opt/shibboleth-idp/conf/relying-party.xml collapse true
   ... <util:list id="shibboleth.RelyingPartyOverrides"> <bean parent="RelyingPartyByName" p:responderIdLookupStrategy-ref="profileResponderIdLookupFunction" c:relyingPartyIds="test_rp"> <property name="profileConfigurations"> <list> <bean parent="OIDC.SSO" p:postAuthenticationFlows="context-check"/> </list> </property> </bean> </util:list> ...

   
   

2. Edit /opt/shibboleth-idp/conf/intercept/context-check-intercept-config.xml for your needs. HINT! The existing file contains good basis, find out from attribute-resolver which is the username in your configuration.

   Code Block
   theme RDark title Hints, Tips and Result collapse true
   ... <bean id="shibboleth.context-check.Condition" parent="shibboleth.Conditions.AND"> <constructor-arg> <list> <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidates="#{{'test_rp'}}" /> <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate" p:useUnfilteredAttributes="true"> <property name="attributeValueMap"> <map> <entry key="uid"> <list> <value>teppo2</value> </list> </entry> </map> </property> </bean> </list> </constructor-arg> </bean> ...

   
   

3. Restart IDP service and try to access the test RP with teppo and teppo2 (same password). You can logout the user via /idp/profile/Logout -endpoint.

   Code Block
   theme RDark title Snippet of /opt/shibboleth-idp/logs/idp-process.log collapse true
   ... 2018-10-05 01:20:37,187 - INFO [Shibboleth-Audit.SSO:276] - 20181005T012037Z|AuthenticationRequest||test_rp|http://csc.fi/ns/profiles/oidc/sso/browser|https://192.168.0.150|||teppo||||| ...