Colorado State University

Login

Shibboleth Service Provider - Additional Configuration

Modified on: Tue, Sep 17 2024 9:24 AM

Description

This article describes additional configurations to be added to a Shibboleth Service Provider.

Contents

Attributes

The attribute map and attribute extractor function in the Shibboleth Service Provider enables you to read attributes from an authenticated users' session and use those for the purpose of access restriction, profile population, and general user experience.


Shibboleth Attribute Map

By default, all members of the CSU Federation receive a large list of attributes from authenticated users. The shipped attribute-map file that comes with the Shibboleth installation does not automatically capture all of these attributes. To learn more about the attributes provided to CSU Federation members, review the file attached to this article (attribute-map.xml), and follow these instructions to update your configuration.


  1. In your Shibboleth Service Provider configuration, navigate to the location of your attribute-map.xml file
    1. Windows/IIS: C:\opt\shibboleth-sp\etc\shibboleth\attribute-map.xml
    2. Linux: /etc/shibboleth/attribute-map.xml
  2. Back up the current file
  3. Replace the attribute-map.xml file with the one attached to this article.
  4. Restart shibboleth to enable the updated file.
    1. Windows/IIS: Services > Shibboleth Daemon > Right-click > Restart
    2. Linux: systemctl restart shibd


Review the Shibboleth XMLAttributeExtractor Guide on how to extract users' attributes from their assertion

Shibboleth Sessions Handler

The Shibboleth Sessions Handler element displays data about the authenticated user's session, including passed attributes, to a web-page used for debugging. By default, the configuration masks these values (indicated with showAttributeValues="false") in this web page:


  • Configuration in shibboleth2.xml (All handler elements contained in Sessions element):
    • Windows/IIS: C:\opt\shibboleth-sp\etc\shibboleth\shibboleth2.xml
    • Linux: /etc/shibboleth/shibboleth2.xml


<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false" acl="10.205.0.0/24 10.206.0.0/24"  />
XML


  • Published location: (Valid authentication required first): <Service Provider domain>/Shibboleth.sso/Session
  • Example page display with values masked:


With a completed attribute map and the Sessions Attribute values displayed, the attribute-values will also populate in the Sessions page:


  • Attribute Values enabled
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="true" acl="10.205.0.0/24 10.206.0.0/24"  />
XML


  • Example page display with values displayed

Further reading








1 Attachment (Scanned for viruses)

(4 KB)
Click here to download attribute-map.xml Click here to download attribute-map.xml
attribute-map.xml is loading
Was this answer helpful?