wiki:FuzeBox

Version 2 (modified by dabantz@…, 11 years ago) (diff)

--

IAM / Projects / Shibboleth / Service Candidates / FuzeMeeting? (Fuzebox)

Fuze Meeting (Fuzebox) required some tweaking of config files to integrate with Shibboleth IdP.

  1. Do not encrypt SAML response
  2. Use "basic" rather than "URI" format in encoding attributes
  3. Release the custom-encoded attributes to Fuze and proactively add mail
  1. Fuze were not able to consume (de-crypt) encrypted assertions and requested the SAML assertion from the IdP be unencrypted. This is provided by adding a custom configuration within relying-party.xml as follows:
<!-- Disable encryption for Fuzebox per vendor request -->
   <RelyingParty id="www.fuzemeeting.com"
       provider="urn:mace:incommon:alaska.edu"
       defaultSigningCredentialRef="IdPCredential"
       defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">
       <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
   </RelyingParty>
  1. Fuze required that the attribute encoding use attrname-format:basic, instead of the default/usual attrname-format:uri. The following distinctively named attributes are encoded in attribute-resolver.xml:
<!-- attributes with non-default encoding; added to meet needs of Fuzebox -->

<resolver:AttributeDefinition id="eduPersonPrincipalName-basic" xsi:type="Simple" 
                              xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                                  sourceAttributeID="eduPersonPrincipalName-basic">
        <resolver:Dependency ref="eduPersonPrincipalName" />
        <resolver:AttributeEncoder xsi:type="SAML2ScopedString" 
                                  xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                                  name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" 
                                  nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                                  friendlyName="eduPersonPrincipalName" />
</resolver:AttributeDefinition>

<resolver:AttributeDefinition id="surname-basic"  xsi:type="Simple" 
                              xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                              sourceAttributeID="surname">
        <resolver:Dependency ref="surname" />
        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                                   name="urn:oid:2.5.4.4" 
                                   nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" 
                                   friendlyName="sn" />
</resolver:AttributeDefinition>

<resolver:AttributeDefinition id="givenName-basic"  xsi:type="Simple" 
                              xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                              sourceAttributeID="givenName">
        <resolver:Dependency ref="givenName" />
        <resolver:AttributeEncoder xsi:type="SAML2String" 
                           xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                           nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" 
                           name="urn:oid:2.5.4.42" friendlyName="givenName" />
</resolver:AttributeDefinition>

<resolver:AttributeDefinition id="email-basic" xsi:type="Simple" 
                              xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                              sourceAttributeID="email">
        <resolver:Dependency ref="email" />
        <resolver:AttributeEncoder xsi:type="SAML2String" 
                           xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                           nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" 
                           name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
</resolver:AttributeDefinition>
<!-- END attributes with non-default encoding -->

  1. In attribute-filter.xml, added this policy to release the appropriate attributes to Fuze:
<AttributeFilterPolicy id="releaseToFuzebox">
  <PolicyRequirementRule xsi:type="basic:OR">
        <basic:Rule xsi:type="basic:AttributeRequesterString" value="www.fuzemeeting.com" />
        <!-- Second entityID is placeholder -->
        <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://www.fuzemeeting.com/shibboleth" />
 </PolicyRequirementRule>
<!-- Vendor demands attributes encoded with nameFormat=...basic rather than default uri -->
  <AttributeRule attributeID="eduPersonPrincipalName-basic">
        <PermitValueRule xsi:type="basic:ANY" />
  </AttributeRule>
    <!-- Vendor assumes ePPN scoped identifier is also email; send separate email proactively -->
  <AttributeRule attributeID="email-basic">
        <PermitValueRule xsi:type="basic:ANY" />
  </AttributeRule>
  <AttributeRule attributeID="surname-basic">
      <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>
  <AttributeRule attributeID="givenName-basic">
        <PermitValueRule xsi:type="basic:ANY" />
  </AttributeRule>
  <AttributeRule attributeID="transientId">
        <PermitValueRule xsi:type="basic:ANY" />
  </AttributeRule>
</AttributeFilterPolicy>

The URL for Fuze Meeting relying on UA authentication is: http://alaskaedu.fuze.me/login