Thu, Feb 17, 2005


This file is your Attribute Acceptance Policy engine. It’s here that you tell shibboleth what to do with incoming attributes from an AA. The eduPerson attributes are already set up for you, so we’ll look at the one I use to map the Novell NDS attribute groupMembership to specific acceptance criteria and also how to let scripting languages get at the attribute.

Here’s the SAML coming from the AA. I’ve left out the namespace declarations and wrapping SOAP and SAML elements for clarity:

<AttributeStatement>   <Subject>     <NameIdentifier Format=“urn:mace:shibboleth:1.0:nameIdentifier” NameQualifier=“idp.org.ac.uk”<5387459</NameIdentifier>   </Subject>   <Attribute AttributeName=“urn:org:uk:attribute-def:groupMembership” AttributeNamespace=“urn:mace:shibboleth:1.0:attributeNamespace:uri”>     <AttributeValue>cn=admins,ou=company,o=org</AttributeValue>     <AttributeValue>cn=testers,ou=company,o=org</AttributeValue>   </Attribute> </AttributeStatement>

The above Attribute/AttributeValue pairs show that the user identified as “5387459” is a member of the “admins” and “testers” groups at their organisation.

It’s recommended that you use “urn:mace:shibboleth:1.0:attributeNamespace:uri” for the “AttributeNamespace” of your attributes and choose an appropriate URN for the attribute itself. As you can see, our attribute is scoped to “urn:org:uk”.

So, shibb has redirected to the IdP, the user has been authenticated and the attributes have arrived at the SP. What next? How do you actually use the attributes? The steps are quite simple:

  • Configure AAP.xml to filter out unwanted attributes by specifying which attributes you'll accept
  • Leave shibboleth and move to normal Apache access control

Configure AAP.xml

Here we’ll specify how the group membership is propagated from shibboleth to apache. To do this, we first need an entry for the attribute. This will stop the SP filtering out the attribute and removing it from the assertion:

<AttributeRule Name=“urn:uhi:ac:uk:attribute-def:givenName” Header=“Organisation-First-Name” Alias=“firstname”>   <AnySite>     <AnyValue />   </AnySite> </AttributeRule>

The above AttributeRule states the following:

  • The urn:uhi:ac:uk:attribute-def:givenName attribute coming from the IdP will not be removed from the assertion
  • The “Organisation-First-Name” tag will be transformed to “HTTP_ORGANISATION_FIRST_NAME” and put in the HTTP headers. This is ideal for applications that need to do futher processing of SAML attributes. For example, you can get at the “urn:uhi:ac:uk:attribute-def:givenName” attribute in PHP by using $_SERVER[HTTP_ORGANISATION_FIRST_NAME]
  • The “firstname” tag will be made available to the normal Apache resource manager application for use in .htaccess files. For example, you can protect a site by having “require firstname Jim” in your .htaccess file

comments powered by Disqus