wiki:HealthyRoads
Last modified 6 years ago Last modified on 01/21/14 16:04:24

IAM / Projects / Shibboleth / Service Candidates / HealthyRoads (Wellness benefit)

  1. Import HealthyRoads SP metadata. Metadata for test provided via email from vendor; awaiting production metadata as of 2014-01-21.
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://www.healthyroadstest.com/saml/UniversityOfAlaska">
  <md:SPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <X509Data>
          <X509Certificate>...</X509Certificate>
        </X509Data>
      </KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <X509Data>
          <X509Certificate>...</X509Certificate>
        </X509Data>
      </KeyInfo>
      <md:EncryptionMethod xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://www.healthyroadstest.com/saml/UniversityOfAlaska/saml20serviceproviderlogout.aspx" />
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.healthyroadstest.com/saml/UniversityOfAlaska/saml20serviceproviderlogout.aspx" />
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://www.healthyroadstest.com/saml/UniversityOfAlaska/saml20serviceproviderlogin.aspx" />
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.healthyroadstest.com/saml/UniversityOfAlaska/saml20serviceproviderlogin.aspx" />
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.healthyroadstest.com/saml/UniversityOfAlaska/saml20serviceproviderlogin.aspx" index="0" isDefault="true" />
    <md:AttributeConsumingService isDefault="true" index="0">
      <md:ServiceName xml:lang="en">ASH SAML Service Provider Portal</md:ServiceName>
      <md:RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="UniqueMemberID" isRequired="True" />
      <md:RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="MemberSuffix" isRequired="True" />
      <md:RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Email" isRequired="False" />
    </md:AttributeConsumingService>
  </md:SPSSODescriptor>
  <md:Organization>
    <md:OrganizationName xml:lang="en">ASH Companies</md:OrganizationName>
    <md:OrganizationDisplayName xml:lang="en">ASH Companies</md:OrganizationDisplayName>
    <md:OrganizationURL xml:lang="en" />
  </md:Organization>
  <md:ContactPerson contactType="technical">
    <md:Company>ASH Companies</md:Company>
    <md:GivenName />
    <md:SurName />
    <md:EmailAddress />
    <md:TelephoneNumber />
  </md:ContactPerson>
</md:EntityDescriptor>
  1. Create the unique attributes required for this vendor, UniqueMemberID and MemberSuffix. Note they are encoded with a format of "basic" rather than the usual "uri."
<!-- UniqueMemberID for HealthRoads SP is employee # = bannerID per UA Benefits-->
<!-- If and when dependents use SSO to HealthyRoads, the UniqueMemberID will need to be the benefits-eligible employee ID#  -->
<resolver:AttributeDefinition id="UniqueMemberID" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="BannerID">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                                   name="UniqueMemberID" 
                                   nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                                   friendlyName="UniqueMemberID"/>
    </resolver:AttributeDefinition>

<!-- Create "MemberSuffix" with value of 00 for all employees for HealthyRoads SP, per UA Benefits Office -->
<resolver:AttributeDefinition id="MemberSuffix" xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
       <resolver:Dependency ref="eduPersonAffiliation" />
      <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                                   name="MemberSuffix" 
                                   nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                                   friendlyName="MemberSuffix" />
     <Script>
     <![CDATA[
     importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
     importPackage(Packages.org.slf4j);

     logger = LoggerFactory.getLogger("edu.internet2.middleware.shibboleth.resolver.Script.scriptTest");
     logger.debug("Starting MemberSuffix Attribute Resolver Script:");

     if (MemberSuffix == null) {MemberSuffix = new BasicAttribute("MemberSuffix");}

     if (eduPersonAffiliation.getValues().contains("employee") || eduPersonAffiliation.getValues().contains("Employee"))
               {MemberSuffix.getValues().add("00");}

                ]]>
        </Script>
</resolver:AttributeDefinition>

  1. Attribute Release (for benefits-eligible employees). This releases the custom attributes for this vendor, that is, UniqueMemberID and MemberSuffix.
</AttributeFilterPolicy>

<AttributeFilterPolicy id="releaseToHealthyRoads">
   <PolicyRequirementRule xsi:type="basic:OR">
                <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://www.healthyroadstest.com/saml/UniversityOfAlaska" />
                <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://www.healthyroads.com/saml/UniversityOfAlaska" />
        </PolicyRequirementRule>
    <AttributeRule attributeID="UniqueMemberID">
        <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>
    <AttributeRule attributeID="MemberSuffix">
        <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>
    <AttributeRule attributeID="displayname">
         <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>
    <AttributeRule attributeID="email">
        <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>
</AttributeFilterPolicy>

  1. Use unsolicited SSO (at least in test instance):
https://idp.alaska.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=https://www.healthyroadstest.com/saml/UniversityOfAlaska