- Import HealthyRoads SP metadata. Metadata for test provided via email from vendor; awaiting production metadata as of 2014-01-21.
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://www.healthyroadstest.com/saml/UniversityOfAlaska">
<md:SPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>...</X509Certificate>
</X509Data>
</KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>...</X509Certificate>
</X509Data>
</KeyInfo>
<md:EncryptionMethod xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://www.healthyroadstest.com/saml/UniversityOfAlaska/saml20serviceproviderlogout.aspx" />
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.healthyroadstest.com/saml/UniversityOfAlaska/saml20serviceproviderlogout.aspx" />
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://www.healthyroadstest.com/saml/UniversityOfAlaska/saml20serviceproviderlogin.aspx" />
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.healthyroadstest.com/saml/UniversityOfAlaska/saml20serviceproviderlogin.aspx" />
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.healthyroadstest.com/saml/UniversityOfAlaska/saml20serviceproviderlogin.aspx" index="0" isDefault="true" />
<md:AttributeConsumingService isDefault="true" index="0">
<md:ServiceName xml:lang="en">ASH SAML Service Provider Portal</md:ServiceName>
<md:RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="UniqueMemberID" isRequired="True" />
<md:RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="MemberSuffix" isRequired="True" />
<md:RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Email" isRequired="False" />
</md:AttributeConsumingService>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en">ASH Companies</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">ASH Companies</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en" />
</md:Organization>
<md:ContactPerson contactType="technical">
<md:Company>ASH Companies</md:Company>
<md:GivenName />
<md:SurName />
<md:EmailAddress />
<md:TelephoneNumber />
</md:ContactPerson>
</md:EntityDescriptor>
- Create the unique attributes required for this vendor, UniqueMemberID and MemberSuffix. Note they are encoded with a format of "basic" rather than the usual "uri."
<!-- UniqueMemberID for HealthRoads SP is employee # = bannerID per UA Benefits-->
<!-- If and when dependents use SSO to HealthyRoads, the UniqueMemberID will need to be the benefits-eligible employee ID# -->
<resolver:AttributeDefinition id="UniqueMemberID" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="BannerID">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="UniqueMemberID"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
friendlyName="UniqueMemberID"/>
</resolver:AttributeDefinition>
<!-- Create "MemberSuffix" with value of 00 for all employees for HealthyRoads SP, per UA Benefits Office -->
<resolver:AttributeDefinition id="MemberSuffix" xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
<resolver:Dependency ref="eduPersonAffiliation" />
<resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="MemberSuffix"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
friendlyName="MemberSuffix" />
<Script>
<![CDATA[
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
importPackage(Packages.org.slf4j);
logger = LoggerFactory.getLogger("edu.internet2.middleware.shibboleth.resolver.Script.scriptTest");
logger.debug("Starting MemberSuffix Attribute Resolver Script:");
if (MemberSuffix == null) {MemberSuffix = new BasicAttribute("MemberSuffix");}
if (eduPersonAffiliation.getValues().contains("employee") || eduPersonAffiliation.getValues().contains("Employee"))
{MemberSuffix.getValues().add("00");}
]]>
</Script>
</resolver:AttributeDefinition>
- Attribute Release (for benefits-eligible employees). This releases the custom attributes for this vendor, that is, UniqueMemberID and MemberSuffix.
</AttributeFilterPolicy>
<AttributeFilterPolicy id="releaseToHealthyRoads">
<PolicyRequirementRule xsi:type="basic:OR">
<basic:Rule xsi:type="basic:AttributeRequesterString" value="https://www.healthyroadstest.com/saml/UniversityOfAlaska" />
<basic:Rule xsi:type="basic:AttributeRequesterString" value="https://www.healthyroads.com/saml/UniversityOfAlaska" />
</PolicyRequirementRule>
<AttributeRule attributeID="UniqueMemberID">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
<AttributeRule attributeID="MemberSuffix">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
<AttributeRule attributeID="displayname">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
<AttributeRule attributeID="email">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
- Use unsolicited SSO (at least in test instance):
https://idp.alaska.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=https://www.healthyroadstest.com/saml/UniversityOfAlaska