2.3.10 CARSI-IdP 接入

对于高校 IdP 而言,通常需要同时接入 CARSI 和 SEAC。由于协议的相通性,只需要一个 IdP 服务器,修改部分配置即可完成接入。本文列出需要修改配置的部分,供调试参考

attribute-resolver

attribute-resolver.xml 中,增加属性获取的配置,确保两个联盟所需的属性都已经获取。注意匹配一下映射关系


   <AttributeDefinition xsi:type="ScriptedAttribute" id="eduPersonScopedAffiliation">
        <InputDataConnector ref="myLDAP" attributeNames="userType"/>
        <Script><![CDATA[
        var localpart = "";
        if(userType.getValues().get(0)=="教师") localpart = "staff";
        else if(userType.getValues().get(0)=="全日制学生") localpart = "student";
        else localpart = "other";
        eduPersonScopedAffiliation.addValue(localpart + "@%{idp.scope}");
            ]]></Script>
        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
    </AttributeDefinition>

   <AttributeDefinition xsi:type="Simple" id="uid">
        <InputDataConnector ref="myLDAP" attributeNames="uid"/>
        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.2" friendlyName="uid" encodeType="false" />
   </AttributeDefinition>


   <AttributeDefinition xsi:type="Simple" id="cn">
        <InputDataConnector ref="myLDAP" attributeNames="cn"/>
        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:cn" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" encodeType="false" />
   </AttributeDefinition>

   <AttributeDefinition xsi:type="Simple" id="domainName">
        <InputDataConnector ref="staticAttributes" attributeNames="domainName"/>
        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:domainName" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.5" friendlyName="domainName" encodeType="false" />
   </AttributeDefinition>


   <AttributeDefinition xsi:type="ScriptedAttribute" id="typeOf">
        <InputDataConnector ref="myLDAP" attributeNames="userType"/>
        <Script><![CDATA[
        var localpart = "";
        if(userType.getValues().get(0)=="教师") localpart = "teacher";
        else if(userType.getValues().get(0)=="全日制学生") localpart = "student";
        else localpart = "other";
        typeOf.addValue(localpart);
            ]]></Script>
        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:typeOf" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.100.2" friendlyName="typeOf" encodeType="false" />
    </AttributeDefinition>

    <AttributeDefinition id="eduPersonEntitlement" xsi:type="Simple">
        <InputDataConnector ref="staticAttributes" attributeNames="eduPersonEntitlement" />
        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" encodeType="false"/>
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" encodeType="false"/>
    </AttributeDefinition>

    <AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
        <InputDataConnector ref="ComputedIDConnector" attributeNames="computedID"/>
        <AttributeEncoder xsi:type="SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" encodeType="false"/>
        <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" encodeType="false"/>
    </AttributeDefinition>
    <DataConnector id="ComputedIDConnector" xsi:type="ComputedId" generatedAttributeID="computedID" salt="fECMt30aWePJN3fcwg0XVSHwgfBRfz+2XPZXA/4T5uw=" encoding="BASE64">
        <InputAttributeDefinition ref="eduPersonPrincipalName" />
    </DataConnector>

    <DataConnector id="staticAttributes" xsi:type="Static">
        <Attribute id="domainName">
            <Value>xxx.edu.cn</Value>
        </Attribute>
        <Attribute id="eduPersonEntitlement">
            <Value>urn:mace:dir:entitlement:common-lib-terms</Value>
        </Attribute>
    </DataConnector>

attribute-filter

修改 attribute-filter.xml 确保两个联盟的属性都已经得到释放

        <AttributeFilterPolicy id="Per-Attribute-singleValued">
            <PolicyRequirementRule xsi:type="ANY" />
            <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
            <AttributeRule attributeID="eduPersonTargetedID" permitAny="true" />
            <AttributeRule attributeID="eduPersonEntitlement" permitAny="true" />
            <AttributeRule attributeID="uid" permitAny="true" />
            <AttributeRule attributeID="cn" permitAny="true" />
            <AttributeRule attributeID="domainName" permitAny="true" />
            <AttributeRule attributeID="typeOf" permitAny="true" />
        </AttributeFilterPolicy>

metadata-provider

修改 metadata-provider.xml , 确保两个联盟的 metadata 都已经获取

    <MetadataProvider id="HTTPMetadata"
         xsi:type="FileBackedHTTPMetadataProvider"
         backingFile="/opt/shibboleth-idp/metadata/carsifed-metadata.xml"
         minRefreshDelay="PT5M"
         maxRefreshDelay="PT10M"
         metadataURL="https://www.carsi.edu.cn/carsimetadata/carsifed-metadata.xml"> 
        <MetadataFilter xsi:type="SignatureValidation" certificateFile="/opt/shibboleth-idp/credentials/dsmeta.pem" />
        <MetadataFilter xsi:type="EntityRoleWhiteList">
            <RetainedRole>md:SPSSODescriptor</RetainedRole>
        </MetadataFilter>
    </MetadataProvider>
    <MetadataProvider id="HTTPMetadataShec"
                      xsi:type="FileBackedHTTPMetadataProvider"
                      backingFile="/opt/shibboleth-idp/metadata/ds.shec.edu.cn.xml"
                      minRefreshDelay="PT5M" 
                      maxRefreshDelay="PT10M" 
                      metadataURL="https://ds.shec.edu.cn/metadata.xml">
    </MetadataProvider>

results matching ""

    No results matching ""