| Version 1 (modified by dabantz@…, 12 years ago) (diff) |
|---|
Update UA IdP to release attributes to Kuali Ready v. 2.0 2012-08-06
- Determine that the staging IdP on howkan is a working clone of the production IdP
- Create attribute resolver for UA ID# scoped (30123456@…) in /opt/shibboleth-idp/conf/attribute-resolver.xml
<resolver:AttributeDefinition id="uakPersonID" xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
<!-- uakPersonID is locally (U Alaska) defined. --> <!-- Looks like ePPN except uses the unchanging ID # assigned in Banner ERP to students and employees --> <!-- rather than modifiable netID or UA Username. format: 30012345@… -->
<resolver:Dependency ref="myLDAP" />
<!-- ID# is bannerid in EDIR LDAP or uaADIdentifier in UA AD (a few users are unique to each source) -->
<resolver:Dependency ref="bannerid" /> <resolver:Dependency ref="uaADIdentifier" />
<resolver:AttributeEncoder xsi:type="SAML1ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="https://iam.alaska.edu/trac/wiki/IamUaArp#uakPersonID" />
<resolver:AttributeEncoder xsi:type="SAML2ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="https://iam.alaska.edu/trac/wiki/IamUaArp#uakPersonID" friendlyName="uakPersonID" />
<Script>
<![CDATA[
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider); importPackage(Packages.org.slf4j);
logger = LoggerFactory?.getLogger("edu.internet2.middleware.shibboleth.resolver.Script.scriptTest"); logger.debug("Starting uakPersonID Attribute Resolver Script:");
if (uakPersonID == null)
{
uakPersonID = new BasicAttribute?("uakPersonID");
}
if (typeof bannerid != "undefined" && bannerid != null && bannerid.getValues().size() != 0)
{
logger.debug("EDIR LDAP Values: " + uasystemid.getValues());
for ( i = 0; i < bannerid.getValues().size(); i++ )
{
value = bannerid.getValues().get(i);
uakPersonID.getValues().add(new ScopedAttributeValue?(value, "alaska.edu"));
}
}
else
{
if (typeof uaADIdentifier != "undefined" && uaADIdentifier != null && uaADIdentifier.getValues().size() != 0)
{
logger.debug("AD LDAP Values: " + uaADIdentifier.getValues());
for ( i = 0; i < uaADIdentifier.getValues().size(); i++ )
{
value = uaADIdentifier.getValues().get(i); uakPersonID.getValues().add(new ScopedAttributeValue?(value, "alaska.edu"));
}
}
}
logger.debug("uakPersonID values:" + uakPersonID.getValues()); logger.debug("Completed uakPersonID Attribute Resolver Script");
]]>
</Script>
</resolver:AttributeDefinition>
- Modify attribute filter (/opt/shibboleth-idp/conf/attribute-filter.xml in standard install) to add the the following release policy releasing uakPersonID to Kuali Ready staging service. <!-- ... -->
<AttributeFilterPolicy? id="releaseToKualiReady">
<PolicyRequirementRule? type="basic:OR">
<Rule type="basic:AttributeRequesterString" value="https://us.ready-staging.kuali.org/shibboleth-sp"/>
</PolicyRequirementRule?> <AttributeRule? attributeID="uakPersonID">
<!-- UA ID #@alaska.edu, like ePPN, but with unchanging UAID# rather than name-based UA Username> -->
<PermitValueRule? xsi:type="basic:ANY" />
</AttributeRule?> <AttributeRule? attributeID="displayName">
<PermitValueRule? xsi:type="basic:ANY" />
</AttributeRule?> <AttributeRule? attributeID="givenName">
<PermitValueRule? xsi:type="basic:ANY" />
</AttributeRule?> <AttributeRule? attributeID="surname">
<PermitValueRule? xsi:type="basic:ANY" />
</AttributeRule?> <AttributeRule? attributeID="email">
<PermitValueRule? xsi:type="basic:ANY" />
<AttributeRule? attributeID="telephoneNumber">
<PermitValueRule? xsi:type="basic:ANY" />
<!-- ... -->
3.1 Modify local hosts file to point to howkan; test the staging idp by pointing browser to:
https://us.ready-staging.kuali.org/uaa https://us.ready-staging.kuali.org/uaf https://us.ready-staging.kuali.org//uas
3.2 Coordinate with Kai Hsieh <kchsieh@…> to verify or correct as needed.
3.3 Comment out the modification to the local hosts file.
- Upon successful staging, create service "modification/outage" notice; at scheduled time,
[Need to verify hanin is near enough a clone of heald that it works as production IdP!]
4.1 modify attribute-filter.xml on the hot standby server (hanin) with production version of release policy:
<!-- ... -->
<AttributeFilterPolicy? id="releaseToKualiReady">
<PolicyRequirementRule? type="basic:OR">
<Rule type="basic:AttributeRequesterString" value="https://us.ready.kuali.org/shibboleth-sp"/>
</PolicyRequirementRule?> <AttributeRule? attributeID="uakPersonID">
<!-- UA ID #@alaska.edu, like ePPN, but with unchanging UAID# rather than name-based UA Username> -->
<PermitValueRule? xsi:type="basic:ANY" />
</AttributeRule?> <AttributeRule? attributeID="displayName">
<PermitValueRule? xsi:type="basic:ANY" />
</AttributeRule?> <AttributeRule? attributeID="givenName">
<PermitValueRule? xsi:type="basic:ANY" />
</AttributeRule?> <AttributeRule? attributeID="surname">
<PermitValueRule? xsi:type="basic:ANY" />
</AttributeRule?> <AttributeRule? attributeID="email">
<PermitValueRule? xsi:type="basic:ANY" />
<AttributeRule? attributeID="telephoneNumber">
<PermitValueRule? xsi:type="basic:ANY" />
<!-- ... -->
4.2 Restart the IdP
3.3 Test by editing /etc/hosts to point idp to hanin, pointing browser to https://us.ready-staging.kuali.org/uaa https://us.ready-staging.kuali.org/uaf https://us.ready-staging.kuali.org//uas
- If successful, switch equalizer to designate hanin as active, then use same change process on heald
- Check the new attribute-resolver and attribute-filter.xml file into the subversion repository on iron.
