Skip to topic | Skip to bottom
Home
Federation
Hello TWikiGuest

Create personal sidebar
Federation.AAPr1.7 - 17 Feb 2008 - 06:09 - BrucLiongtopic end
Start of topic | Skip to actions

Attribute Acceptance Policy (AAP)

On the Shibboleth SP side, all attributes that were received from the IdP's AA are mapped into the HTTP Request headers that are then passed on to the application being protected by Shibboleth SP. Before the values are mapped, they are first filtered to see if they should be accepted and if so, which header each attribute should be mapped to. All this is handled by configuring the Attribute Acceptance Policy File (AAP.xml).

A full and comprehensive description of AAP configuration is provided by the Shibboleth community. It is recommended that institutions interested in becoming an SP should study the Shibboleth installation guide on AAP carefully.

To best understand how to setup the AAP in practice, we will go through setting the AAP for the following:

  • How to setup an AAP to accept attributes?
  • How to setup an AAP to accept attributes from a specific Service Provider?
  • How to setup an AAP to accept attributes from a specifc scope?

Some other examples on restricting access to resources.

Prerequisites:

  • You have installed an IdP following the instructions here. The ARP on the IdP is setup to release the following attributes: sn, eduPersonNickName, eduPersonAffiliation and eduPersonPrincipalName.
  • You have installed a Shibboleth Service Provider following the instructions here and you have deploy the demo JSP application according to this guide. We will now configure the AAP.xml file for this JSP application.

Accepting Attributes

  • Accept and map the following attributes to achieve "gold" service with the JSP demo application. Note that these are the same attributes that were released from the IdP. 
    <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Header="REMOTE_USER" Alias="user">
        <!-- Basic rule to pass through any value. -->
        <AnySite>
           <AnyValue/>
        </AnySite>
    </AttributeRule>

    <AttributeRule Name="urn:mace:dir:attribute-def:sn" Header="Shib-Person-surname">
        <AnySite>
           <AnyValue/>
        </AnySite>
     </AttributeRule>
        
     <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonNickname" Header="Shib-EP-Nickname">
        <AnySite>
            <AnyValue/>
        </AnySite>
     </AttributeRule>
     
     <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonAffiliation" Header="Shib-EP-Affiliation" Alias="affiliation">
   <!-- Filtering rule to limit values to eduPerson-defined enumeration. -->
   <AnySite>
           <Value Type="regexp">^[M|m][E|e][M|m][B|b][E|e][R|r]$</Value>
           <Value Type="regexp">^[F|f][A|a][C|c][U|u][L|l][T|t][Y|y]$</Value>
           <Value Type="regexp">^[S|s][T|t][U|u][D|d][E|e][N|n][T|t]$</Value>
           <Value Type="regexp">^[S|s][T|t][A|a][F|f][F|f]$</Value>
           <Value Type="regexp">^[A|a][L|l][U|u][M|m]$</Value>
           <Value Type="regexp">^[A|a][F|f][F|f][I|i][L|l][I|i][A|a][T|t][E|e]$</Value>
           <Value Type="regexp">^[E|e][M|m][P|p][L|l][O|o][Y|y][E|e][E|e]$</Value>
        </AnySite>
     </AttributeRule>

  • Note that for the eduPersonAffiliation, the above restricts the acceptable values (case insensitive) to: member, faculty, student, staff, alum, affiliate, or employee. ANy othervalues will not be passed on to the application.

Accepting Attributes From Specific Identity Provider

  • Assume your IdP hostname is "idp-ldap.mams.org.au", to configure the AAP such that it only accepts the "sn" attribute from your IdP, use the following AttributeRule? for the sn attribute: 

     <AttributeRule Name="urn:mace:dir:attribute-def:sn" Header="Shib-Person-surname">
        <!-- Specific rules for an origin site, these are just development/sample sites. -->
        <SiteRule Name="urn:mace:federation.mams.local:testfed:idp-ldap.mams.org.au">
           <AnyValue/>
        </SiteRule>
     </AttributeRule>

Attributes SmartScope

When a scope is presented in an attribute, the AAP is evaluated to verify if this particular scope matches the scope required in AAP. If the scope doesn't match, then the attribute is rejected.

Scoping is a way for both IdP and SP to get consensus about which organization domains are acceptable by the SP. A particular resource in SP perhaps only accessible to users that belong to certain domains, i.e. only users from physics domain (@physics.mq.edu.au) can access our internal physics reports.

Alias and Access control

Each attributes in AAP contains 3 sets of information:
  1. attribute name
  2. header name for the attribute to be released to application
  3. alias for attribute to be used in shib filter

This alias (#3) can be used nicely in Shib to achieve access control to the resources. Consider the following: 

  <Location /QuantumPhysics/>
     AuthType shibboleth
     ShibRequireSession On
     require memberof "Physics"
     Satisfy All
   </Location>

This is dependent on the following AAP setup: 

   <AttributeRule Name="urn:mace:federation.mams.local:attributes:group"
      Header="GROUPMEMBERSHIP" Alias="memberof">
      <SiteRule Name="urn:mace:federation.mams.local">
         <AnyValue/>
      </SiteRule>
   </AttributeRule>

The above simply says that "QuantumPhysics" resources are only accessible by users who have supplied their "memberof" attributes to the application with value of "Physics", as received by AAP.


to top
End of topic
Skip to action links | Back to top

Edit | Attach image or document | Printable version | Raw text | More topic actions
Revisions: | r1.7 | > | r1.6 | > | r1.5 | Total page history | Backlinks
You are here: Federation > AAP

to top

Copyright © 1999-2008 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback