Version 1 (modified by dabantz@…, 10 years ago) (diff) |
---|
ArcGIS provides an online service that integrates with Shibboleth institutional logins. Initial documentation at vendor's site: http://doc.arcgis.com/en/arcgis-online/reference/configure-shibboleth.htm Those instructions are not generalized and require adaptation to a pre-existing environment. Several custom configuration steps required:
- Manually add metadata provided by the vendor's tool. Metadata provided by James Elieff is minimal:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="uaa-geomatics.maps.arcgis.com"> <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol"> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://uaa-geomatics.maps.arcgis.com/sharing/rest/oauth2/saml/signin" index="1"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://uaa-geomatics.maps.arcgis.com/sharing/rest/oauth2/saml/signin" index="2"/> </md:SPSSODescriptor> <md:Organization xml:lang="en"> <md:OrganizationName xml:lang="en">University of Alaska</md:OrganizationName> <md:OrganizationDisplayName xml:lang="en">University of Alaska</md:OrganizationDisplayName> <md:OrganizationURL xml:lang="en">https://uaa-geomatics.maps.arcgis.com</md:OrganizationURL> </md:Organization> </md:EntityDescriptor>
- Prevent signed assertions from the IdP by creating exemption in $SHIBBOLETH_HOME/conf/handler.xml:
<RelyingParty id="uaa-geomatics.maps.arcgis.com" provider="urn:mace:incommon:alaska.edu" defaultSigningCredentialRef="IdPCredential" defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"> <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" /> </RelyingParty>
- ArcGIS consumes "principal" as the unique identifier of users. Because the UA IdP allows authentication using different identifiers, the IdP may assign different identifiers to the "principal" attribute (that is, either the numeric Banner ID# or the name-based UA Username). To provide a predictable and relatively permanent identifier, the Banner ID #, create a specific attribute encoded as principal, but tied to Banner ID #:
<resolver:AttributeDefinition id="principalasBannerID" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="BannerID"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" /> </resolver:AttributeDefinition>
A more robust definition is possible that would utilize the UA AD attribute uaIdentifier in case there is no record of the user in EDIR, or the EDIR record contains no value of BannerID.
- Release the custom principal identifier, along with name and email address:
<AttributeFilterPolicy id="releaseToArcGIS"> <PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://uaa-geomatics.maps.arcgis.com" /> <AttributeRule attributeID="principalasBannerID"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="displayname"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="onemail"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> </AttributeFilterPolicy>