Changes between Version 2 and Version 3 of Origami


Ignore:
Timestamp:
02/25/14 15:55:19 (11 years ago)
Author:
dabantz@…
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • Origami

    v2 v3  
    22 
    33Origami is a service for risk management: http://origamirisk.com/ 
     4 
     5(1) Origami was unable to provide metadata description of their service.  So UA is required to manufacture metadata for the service.  
     6{{{ 
     7<EntityDescriptor entityID="https://demo.origamirisk.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> 
     8   <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> 
     9 
     10       <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> 
     11 
     12       <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
     13           Location="https://demo.origamirisk.com/Origami/SSO/SamlLogin?providerAccount=UofAK" /> 
     14   </SPSSODescriptor> 
     15</EntityDescriptor> 
     16 
     17<EntityDescriptor entityID="https://live.origamirisk.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> 
     18   <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> 
     19 
     20       <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> 
     21 
     22       <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
     23           Location="https://live.origamirisk.com/Origami/SSO/SamlLogin?providerAccount=UofAK" /> 
     24   </SPSSODescriptor> 
     25</EntityDescriptor> 
     26}}} 
     27 
     28(2) Attribute release policy; to meet customer requirements to respond differently to employees vs students, and  
     29active/current vs. inactive members, Origami agreed to consume and use indicators of affiliation (eduPersonAffiliation) 
     30and indicators of being currently-enrolled student (use creditHoursCurrent) and currently active employee with a job or assignment 
     31(use assignmentCount).  Heres' the release policy, applied to both the test ("demo") and production ("live") services. 
     32 
     33{{{ 
     34<AttributeFilterPolicy id="releaseToOrigami"> 
     35   <PolicyRequirementRule xsi:type="basic:OR"> 
     36                <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://demo.origamirisk.com" /> 
     37                <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://live.origamirisk.com" /> 
     38        </PolicyRequirementRule> 
     39    <AttributeRule attributeID="assignmentCount"> 
     40        <PermitValueRule xsi:type="basic:ANY" /> 
     41    </AttributeRule> 
     42    <AttributeRule attributeID="creditHoursCurrent"> 
     43        <PermitValueRule xsi:type="basic:ANY" /> 
     44    </AttributeRule> 
     45    <AttributeRule attributeID="bannerID"> 
     46        <PermitValueRule xsi:type="basic:ANY" /> 
     47    </AttributeRule> 
     48    <AttributeRule attributeID="eduPersonAffiliation"> 
     49        <PermitValueRule xsi:type="basic:ANY" /> 
     50    </AttributeRule> 
     51    <AttributeRule attributeID="displayname"> 
     52         <PermitValueRule xsi:type="basic:ANY" /> 
     53    </AttributeRule> 
     54    <AttributeRule attributeID="email"> 
     55        <PermitValueRule xsi:type="basic:ANY" /> 
     56    </AttributeRule> 
     57</AttributeFilterPolicy> 
     58}}} 
     59 
     60 
     61(3)  Because they are not providing a certificate to be used in the transaction, it is necessary to disable encryption of SAML assertions to the service with a special relying-party configuration [prior to including this relying-party configuration, the IdP error'd out attempting to respond to authentication request]. 
     62In relying-party.xml 
     63{{{ 
     64<!-- Origami provides no metadata or cert, so disable encryption  --> 
     65   <RelyingParty id="https://demo.origamirisk.com" 
     66       provider="urn:mace:incommon:alaska.edu" 
     67       defaultSigningCredentialRef="IdPCredential" 
     68       defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"> 
     69      <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" /> 
     70   </RelyingParty> 
     71   <RelyingParty id="https://live.origamirisk.com" 
     72       provider="urn:mace:incommon:alaska.edu" 
     73       defaultSigningCredentialRef="IdPCredential" 
     74       defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"> 
     75      <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" /> 
     76   </RelyingParty> 
     77 }}} 
     78 
     79(4) For at least the initial testing, we used the following URL: 
     80https://demo.origamirisk.com/origami/account/login?account=UofAK 
     81 
    482 
    583UA OIT Project Manager is Toni Abbey.  A target completion date for integration with UA Shibboleth login is 10 February 2014.