Last modified 12 years ago
Last modified on 01/17/14 15:45:51
IAM / Projects / Shibboleth / Service Candidates / FuzeMeeting (Fuzebox)
Fuze Meeting (Fuzebox) required some tweaking of config files to integrate with Shibboleth IdP.
- Do not encrypt SAML response
- Use "basic" rather than "URI" format in encoding attributes
- Release the custom-encoded attributes to Fuze and proactively add mail
- Fuze were not able to consume (de-crypt) encrypted assertions and requested the SAML assertion from the IdP be unencrypted. This is provided by adding a custom configuration within relying-party.xml as follows:
<!-- Disable encryption for Fuzebox per vendor request -->
<RelyingParty id="www.fuzemeeting.com"
provider="urn:mace:incommon:alaska.edu"
defaultSigningCredentialRef="IdPCredential"
defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>
- Fuze required that the attribute encoding use attrname-format:basic, instead of the default/usual attrname-format:uri. The following distinctively named attributes are encoded in attribute-resolver.xml:
<!-- attributes with non-default encoding; added to meet needs of Fuzebox -->
<resolver:AttributeDefinition id="eduPersonPrincipalName-basic" xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="eduPersonPrincipalName-basic">
<resolver:Dependency ref="eduPersonPrincipalName" />
<resolver:AttributeEncoder xsi:type="SAML2ScopedString"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
friendlyName="eduPersonPrincipalName" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="surname-basic" xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="surname">
<resolver:Dependency ref="surname" />
<resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:2.5.4.4"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
friendlyName="sn" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="givenName-basic" xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="givenName">
<resolver:Dependency ref="givenName" />
<resolver:AttributeEncoder xsi:type="SAML2String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
name="urn:oid:2.5.4.42" friendlyName="givenName" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="email-basic" xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="email">
<resolver:Dependency ref="email" />
<resolver:AttributeEncoder xsi:type="SAML2String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
</resolver:AttributeDefinition>
<!-- END attributes with non-default encoding -->
- In attribute-filter.xml, added this policy to release the appropriate attributes to Fuze:
<AttributeFilterPolicy id="releaseToFuzebox">
<PolicyRequirementRule xsi:type="basic:OR">
<basic:Rule xsi:type="basic:AttributeRequesterString" value="www.fuzemeeting.com" />
<!-- Second entityID is placeholder -->
<basic:Rule xsi:type="basic:AttributeRequesterString" value="https://www.fuzemeeting.com/shibboleth" />
</PolicyRequirementRule>
<!-- Vendor demands attributes encoded with nameFormat=...basic rather than default uri -->
<AttributeRule attributeID="eduPersonPrincipalName-basic">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
<!-- Vendor assumes ePPN scoped identifier is also email; send separate email proactively -->
<AttributeRule attributeID="email-basic">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
<AttributeRule attributeID="surname-basic">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
<AttributeRule attributeID="givenName-basic">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
<AttributeRule attributeID="transientId">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
The URL for Fuze Meeting relying on UA authentication is: http://alaskaedu.fuze.me/login
