Changes between Initial Version and Version 1 of FuzeBox


Ignore:
Timestamp:
01/17/14 15:43:05 (11 years ago)
Author:
dabantz@…
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • FuzeBox

    v1 v1  
     1 
     2Fuze Meeting (Fuzebox) required some tweaking of config files to integrate with Shibboleth IdP. 
     3 
     41. Do not encrypt SAML response 
     52. Use "basic" rather than "URI" format in encoding attributes 
     63. Release the custom-encoded attributes to Fuze and proactively add mail  
     7 
     81. Fuze were not able to consume (de-crypt) encrypted assertions and requested the SAML assertion from the IdP be unencrypted.  This is provided by adding a custom configuration within relying-party.xml as follows: 
     9 
     10{{{ 
     11<!-- Disable encryption for Fuzebox per vendor request --> 
     12   <RelyingParty id="www.fuzemeeting.com" 
     13       provider="urn:mace:incommon:alaska.edu" 
     14       defaultSigningCredentialRef="IdPCredential" 
     15       defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"> 
     16       <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" /> 
     17   </RelyingParty> 
     18}}} 
     19 
     202. Fuze required that the attribute encoding use attrname-format:basic, instead of the default/usual attrname-format:uri.  The following distinctively named attributes are encoded in attribute-resolver.xml: 
     21 
     22{{{ 
     23<!-- attributes with non-default encoding; added to meet needs of Fuzebox --> 
     24 
     25<resolver:AttributeDefinition id="eduPersonPrincipalName-basic" xsi:type="Simple"  
     26                              xmlns="urn:mace:shibboleth:2.0:resolver:ad" 
     27                                  sourceAttributeID="eduPersonPrincipalName-basic"> 
     28        <resolver:Dependency ref="eduPersonPrincipalName" /> 
     29        <resolver:AttributeEncoder xsi:type="SAML2ScopedString"  
     30                                  xmlns="urn:mace:shibboleth:2.0:attribute:encoder" 
     31                                  name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"  
     32                                  nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" 
     33                                  friendlyName="eduPersonPrincipalName" /> 
     34</resolver:AttributeDefinition> 
     35 
     36<resolver:AttributeDefinition id="surname-basic"  xsi:type="Simple"  
     37                              xmlns="urn:mace:shibboleth:2.0:resolver:ad" 
     38                              sourceAttributeID="surname"> 
     39        <resolver:Dependency ref="surname" /> 
     40        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" 
     41                                   name="urn:oid:2.5.4.4"  
     42                                   nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"  
     43                                   friendlyName="sn" /> 
     44</resolver:AttributeDefinition> 
     45 
     46<resolver:AttributeDefinition id="givenName-basic"  xsi:type="Simple"  
     47                              xmlns="urn:mace:shibboleth:2.0:resolver:ad" 
     48                              sourceAttributeID="givenName"> 
     49        <resolver:Dependency ref="givenName" /> 
     50        <resolver:AttributeEncoder xsi:type="SAML2String"  
     51                           xmlns="urn:mace:shibboleth:2.0:attribute:encoder" 
     52                           nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"  
     53                           name="urn:oid:2.5.4.42" friendlyName="givenName" /> 
     54</resolver:AttributeDefinition> 
     55 
     56<resolver:AttributeDefinition id="email-basic" xsi:type="Simple"  
     57                              xmlns="urn:mace:shibboleth:2.0:resolver:ad" 
     58                              sourceAttributeID="email"> 
     59        <resolver:Dependency ref="email" /> 
     60        <resolver:AttributeEncoder xsi:type="SAML2String"  
     61                           xmlns="urn:mace:shibboleth:2.0:attribute:encoder" 
     62                           nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"  
     63                           name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" /> 
     64</resolver:AttributeDefinition> 
     65<!-- END attributes with non-default encoding --> 
     66 
     67}}} 
     683. In attribute-filter.xml, added this policy to release the appropriate attributes to Fuze: 
     69 
     70{{{ 
     71<AttributeFilterPolicy id="releaseToFuzebox"> 
     72  <PolicyRequirementRule xsi:type="basic:OR"> 
     73        <basic:Rule xsi:type="basic:AttributeRequesterString" value="www.fuzemeeting.com" /> 
     74        <!-- Second entityID is placeholder --> 
     75        <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://www.fuzemeeting.com/shibboleth" /> 
     76 </PolicyRequirementRule> 
     77<!-- Vendor demands attributes encoded with nameFormat=...basic rather than default uri --> 
     78  <AttributeRule attributeID="eduPersonPrincipalName-basic"> 
     79        <PermitValueRule xsi:type="basic:ANY" /> 
     80  </AttributeRule> 
     81    <!-- Vendor assumes ePPN scoped identifier is also email; send separate email proactively --> 
     82  <AttributeRule attributeID="email-basic"> 
     83        <PermitValueRule xsi:type="basic:ANY" /> 
     84  </AttributeRule> 
     85  <AttributeRule attributeID="surname-basic"> 
     86      <PermitValueRule xsi:type="basic:ANY" /> 
     87    </AttributeRule> 
     88  <AttributeRule attributeID="givenName-basic"> 
     89        <PermitValueRule xsi:type="basic:ANY" /> 
     90  </AttributeRule> 
     91  <AttributeRule attributeID="transientId"> 
     92        <PermitValueRule xsi:type="basic:ANY" /> 
     93  </AttributeRule> 
     94</AttributeFilterPolicy> 
     95}}} 
     96 
     97The URL for Fuze Meeting relying on UA authentication is: 
     98http://alaskaedu.fuze.me/login