FuzeBox – IAM / Shibboleth

Context Navigation

Last modified 11 years ago Last modified on 01/17/14 15:45:51

IAM / Projects / Shibboleth / Service Candidates / FuzeMeeting (Fuzebox)

Fuze Meeting (Fuzebox) required some tweaking of config files to integrate with Shibboleth IdP.

Do not encrypt SAML response
Use "basic" rather than "URI" format in encoding attributes
Release the custom-encoded attributes to Fuze and proactively add mail

Fuze were not able to consume (de-crypt) encrypted assertions and requested the SAML assertion from the IdP be unencrypted. This is provided by adding a custom configuration within relying-party.xml as follows:

<!-- Disable encryption for Fuzebox per vendor request -->
   <RelyingParty id="www.fuzemeeting.com"
       provider="urn:mace:incommon:alaska.edu"
       defaultSigningCredentialRef="IdPCredential"
       defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">
       <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
   </RelyingParty>

Fuze required that the attribute encoding use attrname-format:basic, instead of the default/usual attrname-format:uri. The following distinctively named attributes are encoded in attribute-resolver.xml:

<!-- attributes with non-default encoding; added to meet needs of Fuzebox -->

<resolver:AttributeDefinition id="eduPersonPrincipalName-basic" xsi:type="Simple" 
                              xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                                  sourceAttributeID="eduPersonPrincipalName-basic">
        <resolver:Dependency ref="eduPersonPrincipalName" />
        <resolver:AttributeEncoder xsi:type="SAML2ScopedString" 
                                  xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                                  name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" 
                                  nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                                  friendlyName="eduPersonPrincipalName" />
</resolver:AttributeDefinition>

<resolver:AttributeDefinition id="surname-basic"  xsi:type="Simple" 
                              xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                              sourceAttributeID="surname">
        <resolver:Dependency ref="surname" />
        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                                   name="urn:oid:2.5.4.4" 
                                   nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" 
                                   friendlyName="sn" />
</resolver:AttributeDefinition>

<resolver:AttributeDefinition id="givenName-basic"  xsi:type="Simple" 
                              xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                              sourceAttributeID="givenName">
        <resolver:Dependency ref="givenName" />
        <resolver:AttributeEncoder xsi:type="SAML2String" 
                           xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                           nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" 
                           name="urn:oid:2.5.4.42" friendlyName="givenName" />
</resolver:AttributeDefinition>

<resolver:AttributeDefinition id="email-basic" xsi:type="Simple" 
                              xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                              sourceAttributeID="email">
        <resolver:Dependency ref="email" />
        <resolver:AttributeEncoder xsi:type="SAML2String" 
                           xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                           nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" 
                           name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
</resolver:AttributeDefinition>
<!-- END attributes with non-default encoding -->

In attribute-filter.xml, added this policy to release the appropriate attributes to Fuze:

<AttributeFilterPolicy id="releaseToFuzebox">
  <PolicyRequirementRule xsi:type="basic:OR">
        <basic:Rule xsi:type="basic:AttributeRequesterString" value="www.fuzemeeting.com" />
        <!-- Second entityID is placeholder -->
        <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://www.fuzemeeting.com/shibboleth" />
 </PolicyRequirementRule>
<!-- Vendor demands attributes encoded with nameFormat=...basic rather than default uri -->
  <AttributeRule attributeID="eduPersonPrincipalName-basic">
        <PermitValueRule xsi:type="basic:ANY" />
  </AttributeRule>
    <!-- Vendor assumes ePPN scoped identifier is also email; send separate email proactively -->
  <AttributeRule attributeID="email-basic">
        <PermitValueRule xsi:type="basic:ANY" />
  </AttributeRule>
  <AttributeRule attributeID="surname-basic">
      <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>
  <AttributeRule attributeID="givenName-basic">
        <PermitValueRule xsi:type="basic:ANY" />
  </AttributeRule>
  <AttributeRule attributeID="transientId">
        <PermitValueRule xsi:type="basic:ANY" />
  </AttributeRule>
</AttributeFilterPolicy>

The URL for Fuze Meeting relying on UA authentication is: http://alaskaedu.fuze.me/login

Download in other formats:

Plain Text

Context Navigation

​IAM / ​Projects / Shibboleth / Service Candidates / FuzeMeeting (Fuzebox)

Download in other formats:

IAM / Projects / Shibboleth / Service Candidates / FuzeMeeting (Fuzebox)