Versions Compared

Old Version 1

changes.mady.by.user Arto Tuomi

Saved on

compared with

New Version 2

changes.mady.by.user Arto Tuomi

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Profile Configurations

Info
titleSection Topics
  • SAML and OIDC profile configurations
  • Profile configuration options
  • Default vs. RP-specific profile configurations

SAML and OIDC profile configurations

Panel
bgColorlightgray
titleDefault (SAML) profile configurations

  • The profile configuration file is /opt/shibboleth-idp/conf/relying-party.xml

    Code Block
    themeRDark
    <beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:util="http://www.springframework.org/schema/util"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:c="http://www.springframework.org/schema/c"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
       default-init-method="initialize"
       default-destroy-method="destroy">

    <!--
    Unverified RP configuration, defaults to no support for any profiles. Add <ref> elements to the list
    to enable specific default profile settings (as below), or create new beans inline to override defaults.

    "Unverified" typically means the IdP has no metadata, or equivalent way of assuring the identity and
    legitimacy of a requesting system. To run an "open" IdP, you can enable profiles here.
    -->
    <bean id="shibboleth.UnverifiedRelyingParty" parent="RelyingParty">
        <property name="profileConfigurations">
            <list>
            <!-- <bean parent="SAML2.SSO" p:encryptAssertions="false" /> -->
            </list>
        </property>
    </bean>

    <!--
    Default configuration, with default settings applied for all profiles, and enables
    the attribute-release consent flow.
    -->
    <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
        <property name="profileConfigurations">
            <list>
                <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />
                <ref bean="SAML1.AttributeQuery" />
                <ref bean="SAML1.ArtifactResolution" />
                <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" />
                <ref bean="SAML2.ECP" />
                <ref bean="SAML2.Logout" />
                <ref bean="SAML2.AttributeQuery" />
                <ref bean="SAML2.ArtifactResolution" />
                <ref bean="Liberty.SSOS" />
            </list>
        </property>
    </bean>


...


...

Panel
bgColorlightgray
titleRelying party configuration

  • The main configuration file is /opt/shibboleth-idp/conf/relying-party.xml

    Code Block
    themeRDark
    <beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:util="http://www.springframework.org/schema/util"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:c="http://www.springframework.org/schema/c"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
       default-init-method="initialize"
       default-destroy-method="destroy">

    <import resource="oidc-relying-party.xml"/>

    <bean id="shibboleth.UnverifiedRelyingParty"  p:responderIdLookupStrategy-ref="profileResponderIdLookupFunction" parent="RelyingParty">
        <property name="profileConfigurations">
            <list>
                <bean parent="OIDC.Registration" />
                <bean parent="OIDC.Configuration" />
            </list>
        </property>
    </bean>

    <bean id="shibboleth.DefaultRelyingParty" p:responderIdLookupStrategy-ref="profileResponderIdLookupFunction" parent="RelyingParty">
        <property name="profileConfigurations">
            <list>
                <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" />
                <ref bean="SAML2.Logout" />
                <bean parent="OIDC.SSO" p:postAuthenticationFlows="attribute-release" />
                <bean parent="OIDC.UserInfo"/>
                <bean parent="OAUTH2.Revocation"/>
            </list>
        </property>
    </bean>

...


Profile configuration options


Panel
bgColorlightgray
titleProfile configuration options
  • https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki/ProfileConfigurations
  • https://wiki.shibboleth.net/confluence/display/IDP30/RelyingPartyConfiguration
    • Shared options with all configurations
      • Standard security configuration and our extensions.
        • Used in various ways, depending on the context
          • OIDC.Configuration: signing + encryption configuration (credentials, algorithms) for openid-configuration
          • OIDC.Registration: which signing + encryption configuration details are supported
          • OIDC.SSO: which signing + encryption configuration is enabled
      • Inbound interceptor flows
      • Outbound interceptor flows
    • Client authenticable configuration options for OIDC.SSO, OIDC.Registration and OAUTH2.Revocation
      • Endpoint authentication methods
    • Flow-aware configuration options for OIDC.SSO and OIDC.Registration
      • Flags to enable implicit, hybrid and authorization code flows
      • Flag to enable refresh tokens
    • Flow-specific options
      • Multiple options especially for OIDC.SSO and OIDC.Registration (lifetimes, etc)
      • Post authentication flows, default authentication methods for OIDC.SSO

Default vs. RP-specific profile configuration


Panel
bgColorlightgray
titleProfile configuration vs client metadata - overlapping configurations
  • Default profile configurations enable wide set of features

  • Standard shibboleth.RelyingPartyOverrides mechanism can be used with OIDC RPs too

    Code Block
    themeRDark
    titleSnippet of /opt/shibboleth-idp/conf/relying-party.xml
    ...

    <util:list id="shibboleth.RelyingPartyOverrides">
        <bean parent="RelyingPartyByName"  p:responderIdLookupStrategy-ref="profileResponderIdLookupFunction" c:relyingPartyIds="test_rp">
            <property name="profileConfigurations">
                <list>
                    <bean parent="OIDC.SSO" />
                </list>
            </property>
        </bean>
    </util:list>

...


  • Some of the profile configuration options have overlapping claims in the client metadata
    • E.g. token endpoint authentication methods


Exercises

Panel
bgColorlightblue
titleExercise 5.1 - Modifying default profile configuration

  1. Add additional audience test_api for all authenticated relying parties

    Code Block
    themeRDark
    titleSnippet of /opt/shibboleth-idp/conf/relying-party.xml
    collapsetrue
    ...

    <bean id="shibboleth.DefaultRelyingParty" p:responderIdLookupStrategy-ref="profileResponderIdLookupFunction" parent="RelyingParty">
        <property name="profileConfigurations">
            <list>
                <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" />
                <ref bean="SAML2.Logout" />
                <bean parent="OIDC.SSO" p:postAuthenticationFlows="attribute-release" p:additionalAudiencesForIdToken="test_api" />
                <bean parent="OIDC.UserInfo"/>
                <bean parent="OAUTH2.Revocation"/>
            </list>
        </property>
    </bean>

...


  2. Verify that the additional audience is visible in the id_token.

    Code Block
    themeRDark
    titleHints, Tips and Result
    collapsetrue
    [OIDC_CLAIM_aud] => test_rp,test_api


...