Page History

The goal of this exercise is to configure the test_rp application to be only accessible for teppo2 user. Shibboleth IdP provides context-check interceptor for this purpose.

1. Add context-check post authentication flow to the relying party configuration

   Code Block
   theme RDark title Snippet of /opt/shibboleth-idp/conf/relying-party.xml collapse true
   ... <util:list id="shibboleth.RelyingPartyOverrides"> <bean parent="RelyingPartyByName" p:responderIdLookupStrategy-ref="profileResponderIdLookupFunction" c:relyingPartyIds="test_rp"> <property name="profileConfigurations"> <list> <bean parent="OIDC.SSO" p:postAuthenticationFlows="context-check"/> </list> </property> </bean> </util:list> ...

   
   

2. Edit /opt/shibboleth-idp/conf/intercept/context-check-intercept-config.xml for your needs. HINT! The existing file contains good basis, find out from attribute-resolver which is the username in your configuration.

   Code Block
   theme RDark title Hints, Tips and Result collapse true
   ... <bean id="shibboleth.context-check.Condition" parent="shibboleth.Conditions.AND"> <constructor-arg> <list> <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidates="#{{'test_rp'}}" /> <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate" p:useUnfilteredAttributes="true"> <property name="attributeValueMap"> <map> <entry key="uid"> <list> <value>teppo2</value> </list> </entry> </map> </property> </bean> </list> </constructor-arg> </bean> ...

   
   

3. Restart IDP service and try to access the test RP with teppo and teppo2 (same password). You can logout the user via /idp/profile/Logout -endpoint.

   Code Block
   theme RDark title Snippet of /opt/shibboleth-idp/logs/idp-process.log collapse true
   ... 2018-10-05 01:20:37,187 - INFO [Shibboleth-Audit.SSO:276] - 20181005T012037Z|AuthenticationRequest||test_rp|http://csc.fi/ns/profiles/oidc/sso/browser|https://192.168.0.150|||teppo||||| ...