Changes between Version 1 and Version 2 of Cherwell

Timestamp:

12/02/14 13:38:37 (10 years ago)

Author:

dabantz@…

Comment:

--

Cherwell

@@ -10 +10 @@
 
 Kevin Jacobson is primary vendor contact.
+
+Attribute release policy for Cherwell in $IDP_HOME/conf/attribute-filter.xml
+{{{
+<AttributeFilterPolicy id="releaseToCherwellServiceManager">
+    <PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://ualaska.cherwellondemand.com" />
+        <AttributeRule attributeID="eduPersonPrincipalName">
+            <PermitValueRule xsi:type="basic:ANY" />
+        </AttributeRule>
+    <AttributeRule attributeID="uaUsername">
+        <PermitValueRule xsi:type="basic:ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="bannerID">
+        <PermitValueRule xsi:type="basic:ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="displayname">
+        <PermitValueRule xsi:type="basic:ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="onemail">
+        <PermitValueRule xsi:type="basic:ANY" />
+    </AttributeRule>
+</AttributeFilterPolicy>
+}}}
+Additional encoder for the UA Username to be encoded as a NameID with the format needed by Cherwell in $IDP_HOME/conf/attribute-resolver.xml
+{{{
+<!-- Add an encoder that makes the uaUsername a NameID in format requested by Cherwell - note EDIR dependence here -->
+<resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+           nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos" />
+    </resolver:AttributeDefinition>
+}}}
+
+Initially the NameID was being encrypted in the SAML subject, and Cherwell was unable to decrypt that NameID”
+Cherwell returned the message in response to the SAML assertion from the UA IdP:
+        SAML authentication failed: Required NameID format not supported. SAML status codes: 
+        urn:oasis:names:tc:SAML:2.0:status:Responder,urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy
+
+To avoid encryption of the NameID, I removed specific existing configuration phrases in $IDP_HOME/conf/relying-party.xml as follows:
+{{{
+        <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" 
+                              includeAttributeStatement="true"
+                              assertionLifetime="PT5M0.000S"
+                              assertionProxyCount="0" 
+                              signResponses="conditional"
+                              signAssertions="never" 
+                              encryptAssertions="conditional" />
+         <!-- removed 2014-09-24:  encryptNameIds="conditional" -->
+        
+        <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" 
+                              assertionLifetime="PT5M0.000S"
+                              assertionProxyCount="0" 
+                              signResponses="conditional"
+                              signAssertions="never"
+                              encryptAssertions="conditional" />
+         <!-- removed 2014-09-24:  encryptNameIds="conditional" -->
+}}}
+
+Cherwell metadata provided and added to $IDP_HOME/metadata/sp-metadata.xml
+{{{
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://ualaska.cherwellondemand.com" ID="_694ac3e1-e7b4-4a10-ae8b-d302d8c648b4">
+        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+                <SignedInfo>
+                        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+                        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+                        <Reference URI="#_694ac3e1-e7b4-4a10-ae8b-d302d8c648b4">
+                                <Transforms>
+                                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+                                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+                                                <InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default md saml ds xs xsi"/>
+                                        </Transform>
+                                </Transforms>
+                                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+                                <DigestValue>LbV9RU+E+vVOvzM0sTpUxbNdDLU=</DigestValue>
+                        </Reference>
+                </SignedInfo>
+                <SignatureValue>...</SignatureValue>
+                <KeyInfo>
+                        <X509Data>...</X509Data>
+                </KeyInfo>
+        </Signature>
+        <md:SPSSODescriptor ID="_436db0a0-3135-4f6d-92ed-7121c263987b" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true">
+                <md:KeyDescriptor>
+                        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+                                <X509Data>
+                                        <X509Certificate>...</X509Certificate>
+                                </X509Data>
+                        </KeyInfo>
+                </md:KeyDescriptor>
+                <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
+                <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</md:NameIDFormat>
+                <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ualaska.cherwellondemand.com/cherwellservice/Saml/Assertion.aspx" index="1" isDefault="true"/>
+        </md:SPSSODescriptor>
+</md:EntityDescriptor>
+}}}