| | 1 | Update UA IdP to release attributes to Kuali Ready v. 2.0 2012-08-06 |
| | 2 | |
| | 3 | 1. Determine that the staging IdP on howkan is a working clone of the production IdP |
| | 4 | |
| | 5 | 2. Create attribute resolver for UA ID# scoped (30123456@alaska.edu) in /opt/shibboleth-idp/conf/attribute-resolver.xml |
| | 6 | |
| | 7 | <resolver:AttributeDefinition id="uakPersonID" xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad"> |
| | 8 | |
| | 9 | <!-- uakPersonID is locally (U Alaska) defined. --> |
| | 10 | <!-- Looks like ePPN except uses the unchanging ID # assigned in Banner ERP to students and employees --> |
| | 11 | <!-- rather than modifiable netID or UA Username. format: 30012345@alaska.edu --> |
| | 12 | |
| | 13 | <resolver:Dependency ref="myLDAP" /> |
| | 14 | |
| | 15 | <!-- ID# is bannerid in EDIR LDAP or uaADIdentifier in UA AD (a few users are unique to each source) --> |
| | 16 | |
| | 17 | <resolver:Dependency ref="bannerid" /> |
| | 18 | <resolver:Dependency ref="uaADIdentifier" /> |
| | 19 | |
| | 20 | <resolver:AttributeEncoder xsi:type="SAML1ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" |
| | 21 | name="https://iam.alaska.edu/trac/wiki/IamUaArp#uakPersonID" /> |
| | 22 | |
| | 23 | <resolver:AttributeEncoder xsi:type="SAML2ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" |
| | 24 | name="https://iam.alaska.edu/trac/wiki/IamUaArp#uakPersonID" friendlyName="uakPersonID" /> |
| | 25 | |
| | 26 | <Script> |
| | 27 | |
| | 28 | <![CDATA[ |
| | 29 | |
| | 30 | importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider); |
| | 31 | importPackage(Packages.org.slf4j); |
| | 32 | |
| | 33 | logger = LoggerFactory.getLogger("edu.internet2.middleware.shibboleth.resolver.Script.scriptTest"); |
| | 34 | logger.debug("Starting uakPersonID Attribute Resolver Script:"); |
| | 35 | |
| | 36 | if (uakPersonID == null) |
| | 37 | { |
| | 38 | uakPersonID = new BasicAttribute("uakPersonID"); |
| | 39 | } |
| | 40 | |
| | 41 | if (typeof bannerid != "undefined" && bannerid != null && bannerid.getValues().size() != 0) |
| | 42 | { |
| | 43 | logger.debug("EDIR LDAP Values: " + uasystemid.getValues()); |
| | 44 | |
| | 45 | for ( i = 0; i < bannerid.getValues().size(); i++ ) |
| | 46 | { |
| | 47 | value = bannerid.getValues().get(i); |
| | 48 | uakPersonID.getValues().add(new ScopedAttributeValue(value, "alaska.edu")); |
| | 49 | } |
| | 50 | } |
| | 51 | |
| | 52 | else |
| | 53 | { |
| | 54 | if (typeof uaADIdentifier != "undefined" && uaADIdentifier != null && uaADIdentifier.getValues().size() != 0) |
| | 55 | { |
| | 56 | logger.debug("AD LDAP Values: " + uaADIdentifier.getValues()); |
| | 57 | |
| | 58 | for ( i = 0; i < uaADIdentifier.getValues().size(); i++ ) |
| | 59 | { |
| | 60 | value = uaADIdentifier.getValues().get(i); |
| | 61 | uakPersonID.getValues().add(new ScopedAttributeValue(value, "alaska.edu")); |
| | 62 | } |
| | 63 | } |
| | 64 | } |
| | 65 | |
| | 66 | logger.debug("uakPersonID values:" + uakPersonID.getValues()); |
| | 67 | logger.debug("Completed uakPersonID Attribute Resolver Script"); |
| | 68 | |
| | 69 | ]]> |
| | 70 | |
| | 71 | </Script> |
| | 72 | |
| | 73 | </resolver:AttributeDefinition> |
| | 74 | |
| | 75 | |
| | 76 | 3. Modify attribute filter (/opt/shibboleth-idp/conf/attribute-filter.xml in standard install) to add the the following release policy |
| | 77 | releasing uakPersonID to Kuali Ready staging service. |
| | 78 | <!-- ... --> |
| | 79 | |
| | 80 | <AttributeFilterPolicy id="releaseToKualiReady"> |
| | 81 | <PolicyRequirementRule type="basic:OR"> |
| | 82 | <Rule type="basic:AttributeRequesterString" value="https://us.ready-staging.kuali.org/shibboleth-sp"/> |
| | 83 | </PolicyRequirementRule> |
| | 84 | <AttributeRule attributeID="uakPersonID"> |
| | 85 | <!-- UA ID #@alaska.edu, like ePPN, but with unchanging UAID# rather than name-based UA Username> --> |
| | 86 | <PermitValueRule xsi:type="basic:ANY" /> |
| | 87 | </AttributeRule> |
| | 88 | <AttributeRule attributeID="displayName"> |
| | 89 | <PermitValueRule xsi:type="basic:ANY" /> |
| | 90 | </AttributeRule> |
| | 91 | <AttributeRule attributeID="givenName"> |
| | 92 | <PermitValueRule xsi:type="basic:ANY" /> |
| | 93 | </AttributeRule> |
| | 94 | <AttributeRule attributeID="surname"> |
| | 95 | <PermitValueRule xsi:type="basic:ANY" /> |
| | 96 | </AttributeRule> |
| | 97 | <AttributeRule attributeID="email"> |
| | 98 | <PermitValueRule xsi:type="basic:ANY" /> |
| | 99 | </AttributeRule> |
| | 100 | <AttributeRule attributeID="telephoneNumber"> |
| | 101 | <PermitValueRule xsi:type="basic:ANY" /> |
| | 102 | </AttributeRule> |
| | 103 | </AttributeFilterPolicy> |
| | 104 | |
| | 105 | <!-- ... --> |
| | 106 | |
| | 107 | 3.1 Modify local hosts file to point to howkan; test the staging idp by pointing browser to: |
| | 108 | https://us.ready-staging.kuali.org/uaa |
| | 109 | https://us.ready-staging.kuali.org/uaf |
| | 110 | https://us.ready-staging.kuali.org//uas |
| | 111 | |
| | 112 | 3.2 Coordinate with Kai Hsieh <kchsieh@berkeley.edu> to verify or correct as needed. |
| | 113 | |
| | 114 | 3.3 Comment out the modification to the local hosts file. |
| | 115 | |
| | 116 | 4. Upon successful staging, create service "modification/outage" notice; at scheduled time, |
| | 117 | |
| | 118 | [Need to verify hanin is near enough a clone of heald that it works as production IdP!] |
| | 119 | |
| | 120 | 4.1 modify attribute-filter.xml on the hot standby server (hanin) with production version of release policy: |
| | 121 | <!-- ... --> |
| | 122 | |
| | 123 | <AttributeFilterPolicy id="releaseToKualiReady"> |
| | 124 | <PolicyRequirementRule type="basic:OR"> |
| | 125 | <Rule type="basic:AttributeRequesterString" value="https://us.ready.kuali.org/shibboleth-sp"/> |
| | 126 | </PolicyRequirementRule> |
| | 127 | <AttributeRule attributeID="uakPersonID"> |
| | 128 | <!-- UA ID #@alaska.edu, like ePPN, but with unchanging UAID# rather than name-based UA Username> --> |
| | 129 | <PermitValueRule xsi:type="basic:ANY" /> |
| | 130 | </AttributeRule> |
| | 131 | <AttributeRule attributeID="displayName"> |
| | 132 | <PermitValueRule xsi:type="basic:ANY" /> |
| | 133 | </AttributeRule> |
| | 134 | <AttributeRule attributeID="givenName"> |
| | 135 | <PermitValueRule xsi:type="basic:ANY" /> |
| | 136 | </AttributeRule> |
| | 137 | <AttributeRule attributeID="surname"> |
| | 138 | <PermitValueRule xsi:type="basic:ANY" /> |
| | 139 | </AttributeRule> |
| | 140 | <AttributeRule attributeID="email"> |
| | 141 | <PermitValueRule xsi:type="basic:ANY" /> |
| | 142 | </AttributeRule> |
| | 143 | <AttributeRule attributeID="telephoneNumber"> |
| | 144 | <PermitValueRule xsi:type="basic:ANY" /> |
| | 145 | </AttributeRule> |
| | 146 | </AttributeFilterPolicy> |
| | 147 | |
| | 148 | <!-- ... --> |
| | 149 | |
| | 150 | 4.2 Restart the IdP |
| | 151 | |
| | 152 | 3.3 Test by editing /etc/hosts to point idp to hanin, pointing browser to |
| | 153 | https://us.ready-staging.kuali.org/uaa |
| | 154 | https://us.ready-staging.kuali.org/uaf |
| | 155 | https://us.ready-staging.kuali.org//uas |
| | 156 | |
| | 157 | 5. If successful, switch equalizer to designate hanin as active, then use same change process on heald |
| | 158 | |
| | 159 | 6. Check the new attribute-resolver and attribute-filter.xml file into the subversion repository on iron. |
| | 160 | |
| | 161 | |
| | 162 | |
