Version 2 (modified by dabantz@…, 12 years ago) (diff) |
---|
Update UA IdP to release attributes to Kuali Ready v. 2.0 2012-08-06 1. Determine that the staging IdP on howkan is a working clone of the production IdP 2. Create attribute resolver for UA ID# scoped (30123456@alaska.edu) in /opt/shibboleth-idp/conf/attribute-resolver.xml <resolver:AttributeDefinition id="uakPersonID" xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad"> <!-- uakPersonID is locally (U Alaska) defined. --> <!-- Looks like ePPN except uses the unchanging ID # assigned in Banner ERP to students and employees --> <!-- rather than modifiable netID or UA Username. format: 30012345@alaska.edu --> <resolver:Dependency ref="myLDAP" /> <!-- ID# is bannerid in EDIR LDAP or uaADIdentifier in UA AD (a few users are unique to each source) --> <resolver:Dependency ref="bannerid" /> <resolver:Dependency ref="uaADIdentifier" /> <resolver:AttributeEncoder xsi:type="SAML1ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="https://iam.alaska.edu/trac/wiki/IamUaArp#uakPersonID" /> <resolver:AttributeEncoder xsi:type="SAML2ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="https://iam.alaska.edu/trac/wiki/IamUaArp#uakPersonID" friendlyName="uakPersonID" /> <Script> <![CDATA[ importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider); importPackage(Packages.org.slf4j); logger = LoggerFactory.getLogger("edu.internet2.middleware.shibboleth.resolver.Script.scriptTest"); logger.debug("Starting uakPersonID Attribute Resolver Script:"); if (uakPersonID == null) { uakPersonID = new BasicAttribute("uakPersonID"); } if (typeof bannerid != "undefined" && bannerid != null && bannerid.getValues().size() != 0) { logger.debug("EDIR LDAP Values: " + uasystemid.getValues()); for ( i = 0; i < bannerid.getValues().size(); i++ ) { value = bannerid.getValues().get(i); uakPersonID.getValues().add(new ScopedAttributeValue(value, "alaska.edu")); } } else { if (typeof uaADIdentifier != "undefined" && uaADIdentifier != null && uaADIdentifier.getValues().size() != 0) { logger.debug("AD LDAP Values: " + uaADIdentifier.getValues()); for ( i = 0; i < uaADIdentifier.getValues().size(); i++ ) { value = uaADIdentifier.getValues().get(i); uakPersonID.getValues().add(new ScopedAttributeValue(value, "alaska.edu")); } } } logger.debug("uakPersonID values:" + uakPersonID.getValues()); logger.debug("Completed uakPersonID Attribute Resolver Script"); ]]> </Script> </resolver:AttributeDefinition> 3. Modify attribute filter (/opt/shibboleth-idp/conf/attribute-filter.xml in standard install) to add the the following release policy releasing uakPersonID to Kuali Ready staging service. <!-- ... --> <AttributeFilterPolicy id="releaseToKualiReady"> <PolicyRequirementRule type="basic:OR"> <Rule type="basic:AttributeRequesterString" value="https://us.ready-staging.kuali.org/shibboleth-sp"/> </PolicyRequirementRule> <AttributeRule attributeID="uakPersonID"> <!-- UA ID #@alaska.edu, like ePPN, but with unchanging UAID# rather than name-based UA Username> --> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="displayName"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="surname"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="email"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="telephoneNumber"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> </AttributeFilterPolicy> <!-- ... --> 3.1 Modify local hosts file to point to howkan; test the staging idp by pointing browser to: https://us.ready-staging.kuali.org/uaa https://us.ready-staging.kuali.org/uaf https://us.ready-staging.kuali.org//uas 3.2 Coordinate with Kai Hsieh <kchsieh@berkeley.edu> to verify or correct as needed. 3.3 Comment out the modification to the local hosts file. 4. Upon successful staging, create service "modification/outage" notice; at scheduled time, [Need to verify hanin is near enough a clone of heald that it works as production IdP!] 4.1 modify attribute-filter.xml on the hot standby server (hanin) with production version of release policy: <!-- ... --> <AttributeFilterPolicy id="releaseToKualiReady"> <PolicyRequirementRule type="basic:OR"> <Rule type="basic:AttributeRequesterString" value="https://us.ready.kuali.org/shibboleth-sp"/> </PolicyRequirementRule> <AttributeRule attributeID="uakPersonID"> <!-- UA ID #@alaska.edu, like ePPN, but with unchanging UAID# rather than name-based UA Username> --> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="displayName"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="surname"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="email"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="telephoneNumber"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> </AttributeFilterPolicy> <!-- ... --> 4.2 Restart the IdP 3.3 Test by editing /etc/hosts to point idp to hanin, pointing browser to https://us.ready-staging.kuali.org/uaa https://us.ready-staging.kuali.org/uaf https://us.ready-staging.kuali.org//uas 5. If successful, switch equalizer to designate hanin as active, then use same change process on heald 6. Check the new attribute-resolver and attribute-filter.xml file into the subversion repository on iron.