Version 1 (modified by dabantz@…, 11 years ago) (diff) |
---|
Fuze Meeting (Fuzebox) required some tweaking of config files to integrate with Shibboleth IdP.
- Do not encrypt SAML response
- Use "basic" rather than "URI" format in encoding attributes
- Release the custom-encoded attributes to Fuze and proactively add mail
- Fuze were not able to consume (de-crypt) encrypted assertions and requested the SAML assertion from the IdP be unencrypted. This is provided by adding a custom configuration within relying-party.xml as follows:
<!-- Disable encryption for Fuzebox per vendor request --> <RelyingParty id="www.fuzemeeting.com" provider="urn:mace:incommon:alaska.edu" defaultSigningCredentialRef="IdPCredential" defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"> <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" /> </RelyingParty>
- Fuze required that the attribute encoding use attrname-format:basic, instead of the default/usual attrname-format:uri. The following distinctively named attributes are encoded in attribute-resolver.xml:
<!-- attributes with non-default encoding; added to meet needs of Fuzebox --> <resolver:AttributeDefinition id="eduPersonPrincipalName-basic" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="eduPersonPrincipalName-basic"> <resolver:Dependency ref="eduPersonPrincipalName" /> <resolver:AttributeEncoder xsi:type="SAML2ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" friendlyName="eduPersonPrincipalName" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="surname-basic" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="surname"> <resolver:Dependency ref="surname" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:2.5.4.4" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" friendlyName="sn" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="givenName-basic" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="givenName"> <resolver:Dependency ref="givenName" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" name="urn:oid:2.5.4.42" friendlyName="givenName" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="email-basic" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="email"> <resolver:Dependency ref="email" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" /> </resolver:AttributeDefinition> <!-- END attributes with non-default encoding -->
- In attribute-filter.xml, added this policy to release the appropriate attributes to Fuze:
<AttributeFilterPolicy id="releaseToFuzebox"> <PolicyRequirementRule xsi:type="basic:OR"> <basic:Rule xsi:type="basic:AttributeRequesterString" value="www.fuzemeeting.com" /> <!-- Second entityID is placeholder --> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://www.fuzemeeting.com/shibboleth" /> </PolicyRequirementRule> <!-- Vendor demands attributes encoded with nameFormat=...basic rather than default uri --> <AttributeRule attributeID="eduPersonPrincipalName-basic"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <!-- Vendor assumes ePPN scoped identifier is also email; send separate email proactively --> <AttributeRule attributeID="email-basic"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="surname-basic"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="givenName-basic"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="transientId"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> </AttributeFilterPolicy>
The URL for Fuze Meeting relying on UA authentication is: http://alaskaedu.fuze.me/login