Generation of eduPersonTargetedID using ShARPE
ShARPE's mapping functionality can be used to generate ePTID as attribute to be sent to a SP. Everytime the user visits the SP, the same ePTID will be sent, hence this ePTID can be used as a user's opaque persistent identifier in place of other more identifiable attributes (such as mail or username).
Typical examples of using the ePTID are customisation and personalisation of the user's experience while remaining anonymous, but it can also be used for sharing documents with colleagues without forcing the user to reveal his identity to the storage location (e.g. when I visit another university's IR, I can remain anonymous while still editing my colleague's document based on my ePTID).
Installation
There are 2 ways to install the necessarily library. If you already have
ShARPE installed, then you can skip to configuration section (of course you can always follow the manual installation, it will not change the running ShARPE). If you don't have ShARPE installed, then you can download sharpe_eptid.zip from download page.
Manual Installation (without having ShARPE installed)
- replace all references of TOMCAT_HOME to your tomcat's installation folder (usually /usr/local/tomcat) and SHIB_HOME to your shibboleth installation location (usually /usr/local/shibboleth-idp)
- download sharpe_eptid.zip
- extract it somewhere (such as /tmp)
-
cp ./shib_tomcat/*.jar $TOMCAT_HOME/webapps/shibboleth-idp/WEB-INF/lib
-
cp -fr ./shib_tomcat/conf $TOMCAT_HOME/webapps/shibboleth-idp/WEB-INF/classes
-
cp -fr ./shib_home/mams-core-crosswalk $SHIB_HOME/etc
Configuration
1. make sure
ARP releases eduPersonTargetedID, i.e. the following lines exists in one of the arp.xml such as arp.site.xml:
<Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID">
<AnyValue release="permit"/>
</Attribute>
2. add this entry to your
resolver configuration (make sure no duplicate entry). xyz is your
IdP providerId.
<CustomAttributeDefinition
class="au.edu.mq.melcoe.mams.sharpe.shib.aa.attrresolv.provider.CrosswalkAttributeDefinition"
haltOnFirstFound="false" id="urn:mace:dir:attribute-def:eduPersonTargetedID"
smartScope="xyz">
<AttributeDependency requires="urn:mace:dir:attribute-def:mail"/>
</CustomAttributeDefinition>
3. edit
SHIB_HOME/etc/mams-core-crosswalk/mapper/mapper.default_generic.xml and make sure this entry exists:
<Map>
<Attribute>urn:mace:dir:attribute-def:eduPersonTargetedID</Attribute>
<MapValue>SHA1(urn:mace:dir:attribute-def:mail + REQUESTER + 'this is my seed' + RESPONDER)</MapValue>
</Map>
Explanation: the above #2 and #3 specifies that the ePTID to be generated by taking a SHA1 of mail concatenated with SP's name (REQUESTER), some seed, and
IdP's name (RESPONDER). REQUESTER and RESPONDER are "global variable" available to the plugin. You can change the above 2 blocks' values, provided you maintain the correct attribute dependencies in resolver. If for some reason the dependencies are not valid, HashCrosswalk function will not return the correct ePTID value.
You've got the option of using SHA1, MD5, and HASHCODE as hash methods. Note that you can put as much attribute dependencies in creation of the hash. Steering away from RESPONDER or any
IdP-specific values will allow your ePTID to be "transferable" if your user moves from one institution to another (i.e. joe moves from MGSM to MQ, then he can "carry" his ePTID to his new host), hence allowing him to still gain access to some resources where he was identified by his ePTID.
Troubleshooting
If you have ShARPE installed previously and after configuration you're seeing some problems (i.e. exceptions or ePTID not released), then it is advisable to either you re-install ShARPE with the latest release or perform a manual install of this module (hence getting a more uptodate library)
--
BrucLiong - 28 Aug 2006
to top