ShARPE User Interface

This guide will show the usage of WebSharpe from creation of contract/ARP to its manipulation and mapping of attributes.

Create a contract for all communities (groups) and all services

This example shows how to create a contract for all SPs (site-wide) applicable for all users (all communities).

1. Launch ShARPE on web browser (Mozilla Firefox preferred) on http://IdPDomainName/ShARPE
2. Alternatively, if you don't have ShARPE installed, you can try it on https://opensharpe.federation.org.au/ after you have registered your account on our open IdP at https://openidp.federation.org.au/openidp/openidp.
3. Log in with password you specified during the installation or "test".
4. Select SERVICE PROVIDER from the left panel.
5. Expand "All Service Providers".
   
6. Select "All Products" and choose "All Communities". (Note: "product" and "service" are synonymous)
   
7. The initial 'contract' for "All Service Providers" for "All Services" for "All Communities" is to release no attributes.
   
8. In order to release an attribute to all communities for all products, select Add->SPAffiliation
   
9. Now if we access the MAMS diagnostic service https://demo.federation.org.au/SharpeJSPDemo/demo.jsp (close all browser first and re-open to create a new session, and log in using login staff and passwd test). Note that the eduPersonAffiliation ("Staff") is released now.
   
10. Another site that you can visit to check for your released values is https://demo.federation.org.au/shiboleth/target

Import Service Provider Description

In order to be able to create contract for a specific SP, there is a need to know what services available in the SP. Service Provider Description is an XML data describing the services available in the SP and its associated required attributes. For this purpose, it is necessary to import the SP Description into WebSharpe. Such file is available from Federation website.

1. Save the following SP Description file which should have been downloaded from Federation website.
2. In order to create contracts specifically for the "Level-1 SP" service, we need to import the Service Description.
   
3. Following importing of the Service Description, the "Demo Federation Test Site" appears in the services list. The service provider line may be expanded to show the products provided by the service provider: in this case "Demo" and "Sharpe JSP test" (the latter is the diagnostic service).
   
4. The Service Levels available for that service may be viewed by selecting the "Sharpe JSP test" link.
   

Creating Contract for specific SP for all communities (groups)

The previous example shows how a contract can be created for all users to all services. This example shows that a contract can be created for a specific SP. To simplify matters, the example only shows a contract that is applicable for all users.

1. Click on bronze access. we will establish a contract specifically with the service for bronze access for all communities (although redundant while the "all products" "all communities" contract above delivers what we require).
   
2. This action results in the following contents of the site ARP file. Note that we have rules specified for "AnyTarget" i.e. all products, and for the "Sharpe JSP Test" product (au:testfed:level-1:demo.federation.org.au). ("target" is synonymous with "service").

   root@sharpe:/usr/local/shibboleth-idp/etc/arps# cat arp.site.xml
   
   <?xml version="1.0" encoding="UTF-8"?>
   <AttributeReleasePolicy xmlns="urn:mace:shibboleth:arp:1.0"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd">
       <Description>noDescription</Description>
       <Rule>
           <Description>noDescription</Description>
           <Target>
               <AnyTarget/>
           </Target>
           <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation">
               <AnyValue release="permit"/>
           </Attribute>
       </Rule>
       <Rule>
           <Description>noDescription</Description>
           <Target>
               <Requester>urn:mace:federation.org.au:testfed:level-1:demo.federation.org.au</Requester>
               <AnyResource/>
           </Target>
           <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation">
               <AnyValue release="permit"/>
           </Attribute>
       </Rule>
   </AttributeReleasePolicy>
   

3. Accessing https://demo.federation.org.au/SharpeJSPDemo/demo.jsp will confirm the release of the eduPersonAffiliation attribute (as before due to the "all communities" "all products" example above).
   

Creating Contract for specific SP for specific community (Physics)

This time the administrator would like to specifically create a contract for Physics community such that all users in that community enjoy more priveledges.

1. The following screen results following establishing "Gold" level access to the "Sharpe JSP Test" product.
   
2. Accessing https://demo.federation.org.au/SharpeJSPDemo/demo.jsp, logging in as a member of the "Physics" community (username physicsuser1 password test) confirms release of the required attributes for Gold Level access for members of the "Physics" community: eduPersonAffiliation (affiliation), eduPersonNickname (nickname), and sn (surname)
   
3. Checking on SP Description for "Level-1 SP", you would notice that gold service level requires the three attributes

        <ServiceLevel identifier="gold">
          <ServiceLevelName xml:lang="en">Gold Access</ServiceLevelName>
          <ServiceLevelDescription xml:lang="en">need 3 attributes</ServiceLevelDescription>
          <md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonAffiliation"
                                 FriendlyName="your affiliation" isRequired="true"/>
          <md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonNickname"
                                 FriendlyName="your nickname" isRequired="true"/>
          <md:RequestedAttribute Name="urn:mace:dir:attribute-def:sn"
                                 FriendlyName="surname" isRequired="true"/>
        </ServiceLevel>
   

Mapping Attributes

Deploy our dummy application

This application requires 2 attributes:

1. eduPersonAffiliation
2. fullname (which is combination of firstname and lastname)

Access to a more advanced features of the application is only allowed when the two attributes are given.

Deployment:

1. Copy the attached demo2.jsp.txt to your tomcat folder previously setup in ShibbolizingApplication1
   • mv demo2.jsp.txt $TOMCAT_HOME/webapps/jsp-examples/demo2.jsp
2. Edit the virtual host 00X-ssl-vhost file. Just before the closing VirtualHost^? element, add the following block:

           <Location /jsp-examples/demo2.jsp>
                   AuthType shibboleth
                   ShibRequireSession On
                   require valid-user
           </Location>
   

3. edit your AAP.xml located at /usr/local/shibboleth-sp/etc/shibboleth/AAP.xml, add the following entry before the first AttributeRule^?

      <AttributeRule Name="urn:mace:federation.org.au:testfed:level-1:attributes:fullname" Header="fullname" Alias="fullname">
           <AnySite>
               <AnyValue/>
           </AnySite>
      </AttributeRule>
   

4. restart your tomcat by executing $TOMCAT_HOME/bin/shutdown.sh and $TOMCAT_HOME/bin/startup.sh
5. if you try to test this by going to browser and visiting https://SPDomainName/jsp-examples/demo2.jsp you will notice that you will not get fullname attribute being transmitted. This is because IdP doesn't know how to send such attribute (and it doesn't exist in IdP's resolver or ARP anyway)

Create SP Description for sample application

We need to create SP Description for this new service such that we can use this XML file to configure contract at IdP (hence IdP able to send correct attribute)

1. Go to SPDescription application at https://IdPDomainName/SPDescription
2. create a new SP Description file
   • SP identifier: your SP identifier, e.g. urn:mace:federation.org.au:testfed:level-1:MY_DNS
   • SP Name: any name
   • SP Location: http://MY_DNS
   • SP Description: any description
3. add a new Service
   • Service identifier: top:secret:product
   • Service Name: any name
   • Service Location: http://MY_DNS/productName
   • Service Description: anything
4. add 1 service level for this service
   • Service Level Identifier: lamda
   • Service Level Name: anything
   • Service Level Description: anything
5. add 2 attributes for this service level
   • attribute 1:
     • Name: urn:mace:dir:attribute-def:eduPersonAffiliation
     • FriendlyName^?: affiliation
     • required: YES
     • Value: AnyValue^?
   • attribute 2:
     • Name: urn:mace:federation.org.au:testfed:level-1:attributes:fullname
     • FriendlyName^?: your fullname (title firstname lastname, e.g. Ms Piggy Banks)
     • required: YES
     • Value: AnyValue^?
6. generate and save the XML

Creating Contract for demo2

1. go to WebSharpe at https://IdPDomainName/ShARPE, login with password test
2. click on "ServiceProviders", browse for the XML file we've just created, and load it up
3. click on "Mappings"
4. create new mapping set, label it appropriately as demo2MappingSet
5. click on edit to edit the mapping set you've just created
6. Select the SP you've just loaded from listbox and click Add to attach this SP to the mapping set
7. you will be presented with a view of all attributes in this SP (should be just 2 attributes)
8. for eduPersonAffiliation, choose "AttributeMapFunction" and map it to eduPersonAffiliation
9. for fullname, choose "ConcatFunction", change the separator from "_" (underscore) to " " (space), add title, given name, and sn
10. This will create the appropriate mapping for fullname = title givenName lastName (sn is equivalent to your last name)

Create a contract for demo2

1. click on "Contracts"
2. click on service
3. click on your community (suggest "staff")
4. select the service level wanted (which is only one= lamda)
5. note now that 2 attributes being released
6. quit browser, re-open and points to https://SPDomainName/jsp-examples/demo2.jsp and notice we've gain access

Resources

• Evaluating ShARPE
• How to install ShARPE
• Test-drive ShARPE at OpenShARPE
• ShARPE Tour

-- BrucLiong - 16 Feb 2006
to top