wiki:KualiIDPConfig

Version 2 (modified by dabantz@…, 12 years ago) (diff)

--

Update UA IdP to release attributes to Kuali Ready v. 2.0 2012-08-06
 
 1.  Determine that the staging IdP on howkan is a working clone of the production IdP
 
 2.  Create attribute resolver for UA ID# scoped (30123456@alaska.edu) in /opt/shibboleth-idp/conf/attribute-resolver.xml
 
     <resolver:AttributeDefinition id="uakPersonID" xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
 
 <!-- uakPersonID is locally (U Alaska) defined.  -->
 <!-- Looks like ePPN except uses the unchanging ID # assigned in Banner ERP to students and employees -->
 <!-- rather than modifiable netID or UA Username.  format: 30012345@alaska.edu  -->
 
         <resolver:Dependency ref="myLDAP" />
 
 <!-- ID# is bannerid in EDIR LDAP or uaADIdentifier in UA AD (a few users are unique to each source) -->
 
         <resolver:Dependency ref="bannerid" />
         <resolver:Dependency ref="uaADIdentifier" />
 
         <resolver:AttributeEncoder xsi:type="SAML1ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
             name="https://iam.alaska.edu/trac/wiki/IamUaArp#uakPersonID" />
 
         <resolver:AttributeEncoder xsi:type="SAML2ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
             name="https://iam.alaska.edu/trac/wiki/IamUaArp#uakPersonID" friendlyName="uakPersonID" />
 
         <Script>
 
         <![CDATA[
 
         importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
         importPackage(Packages.org.slf4j);
 
         logger = LoggerFactory.getLogger("edu.internet2.middleware.shibboleth.resolver.Script.scriptTest"); 
         logger.debug("Starting uakPersonID Attribute Resolver Script:");
 
         if (uakPersonID == null) 
      {
                 uakPersonID = new BasicAttribute("uakPersonID");
           }
 
         if (typeof bannerid != "undefined" && bannerid != null && bannerid.getValues().size() != 0)
      {
             logger.debug("EDIR LDAP Values: " + uasystemid.getValues());
             
      for ( i = 0; i < bannerid.getValues().size(); i++ )
           {
                     value = bannerid.getValues().get(i);
                      uakPersonID.getValues().add(new ScopedAttributeValue(value, "alaska.edu"));
                  }
          }
 
         else 
      {
             if (typeof uaADIdentifier != "undefined" && uaADIdentifier != null && uaADIdentifier.getValues().size() != 0)
           {
                      logger.debug("AD LDAP Values: " + uaADIdentifier.getValues());
 
                      for ( i = 0; i < uaADIdentifier.getValues().size(); i++ )
                {
                               value = uaADIdentifier.getValues().get(i);
                               uakPersonID.getValues().add(new ScopedAttributeValue(value, "alaska.edu"));
                           }
                  }
            }
 
         logger.debug("uakPersonID values:" + uakPersonID.getValues());
         logger.debug("Completed uakPersonID Attribute Resolver Script");
 
         ]]>
 
         </Script>
 
     </resolver:AttributeDefinition>
 
 
 3.  Modify attribute filter (/opt/shibboleth-idp/conf/attribute-filter.xml in standard install) to add the the following release policy
 releasing uakPersonID to Kuali Ready staging service.
 <!--   ...   -->
 
      <AttributeFilterPolicy id="releaseToKualiReady">
           <PolicyRequirementRule type="basic:OR">
                <Rule type="basic:AttributeRequesterString" value="https://us.ready-staging.kuali.org/shibboleth-sp"/>
           </PolicyRequirementRule>
           <AttributeRule attributeID="uakPersonID">
 <!--  UA ID #@alaska.edu, like ePPN, but with unchanging UAID# rather than name-based UA Username>     -->
              <PermitValueRule xsi:type="basic:ANY" />
          </AttributeRule>
          <AttributeRule attributeID="displayName">
              <PermitValueRule xsi:type="basic:ANY" />
           </AttributeRule>
           <AttributeRule attributeID="givenName">
              <PermitValueRule xsi:type="basic:ANY" />
          </AttributeRule>
          <AttributeRule attributeID="surname">
              <PermitValueRule xsi:type="basic:ANY" />
          </AttributeRule>
          <AttributeRule attributeID="email">
              <PermitValueRule xsi:type="basic:ANY" />
          </AttributeRule>
           <AttributeRule attributeID="telephoneNumber">
              <PermitValueRule xsi:type="basic:ANY" />
           </AttributeRule>
      </AttributeFilterPolicy>     
           
 <!--   ...   -->
 
 3.1 Modify local hosts file to point to howkan; test the staging idp by pointing browser to:
      https://us.ready-staging.kuali.org/uaa
      https://us.ready-staging.kuali.org/uaf
      https://us.ready-staging.kuali.org//uas
 
 3.2  Coordinate with Kai Hsieh <kchsieh@berkeley.edu> to verify or correct as needed.
 
 3.3  Comment out the modification to the local hosts file.
 
 4.  Upon successful staging, create service "modification/outage" notice; at scheduled time,
 
 [Need to verify hanin is near enough a clone of heald that it works as production IdP!]
 
      4.1 modify attribute-filter.xml on the hot standby server (hanin) with production version of release policy:
 <!--   ...   -->
 
      <AttributeFilterPolicy id="releaseToKualiReady">
           <PolicyRequirementRule type="basic:OR">
                <Rule type="basic:AttributeRequesterString" value="https://us.ready.kuali.org/shibboleth-sp"/>
           </PolicyRequirementRule>
           <AttributeRule attributeID="uakPersonID">
 <!--  UA ID #@alaska.edu, like ePPN, but with unchanging UAID# rather than name-based UA Username>     -->
              <PermitValueRule xsi:type="basic:ANY" />
          </AttributeRule>
          <AttributeRule attributeID="displayName">
              <PermitValueRule xsi:type="basic:ANY" />
           </AttributeRule>
           <AttributeRule attributeID="givenName">
              <PermitValueRule xsi:type="basic:ANY" />
          </AttributeRule>
          <AttributeRule attributeID="surname">
              <PermitValueRule xsi:type="basic:ANY" />
          </AttributeRule>
          <AttributeRule attributeID="email">
              <PermitValueRule xsi:type="basic:ANY" />
          </AttributeRule>
           <AttributeRule attributeID="telephoneNumber">
              <PermitValueRule xsi:type="basic:ANY" />
           </AttributeRule>
      </AttributeFilterPolicy>     
           
 <!--   ...   -->
 
      4.2 Restart the IdP
 
      3.3 Test by editing /etc/hosts to point idp to hanin, pointing browser to
      https://us.ready-staging.kuali.org/uaa
      https://us.ready-staging.kuali.org/uaf
      https://us.ready-staging.kuali.org//uas
 
 5. If successful, switch equalizer to designate hanin as active, then use same change process on heald
 
 6. Check the new attribute-resolver and attribute-filter.xml file into the subversion repository on iron.