Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
en:services:it_security:aai:serviceowner [2024/01/31 16:19] – [Setting up your Service Provider (SP)] sdabbagen:services:it_security:aai:serviceowner [2024/01/31 16:22] – [Setting up your Service Provider (SP)] sdabbag
Line 89: Line 89:
  
 ---- ----
-** Example: Installation Guidline** +** Example: Installation Guideline**
  
  
Line 257: Line 256:
  
  
 +''/etc/shibboleth/attribute-map.xml''
 +<code>
  
 +    <!--
 +    The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth
 +    community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a
 +    few exceptions for newer attributes where the name is the same for both versions. You will
 +    usually want to uncomment or map the names for both SAML versions as a unit.
 +    -->
 +    
 +    <!-- First some useful eduPerson attributes that many sites might use. -->
 +    
 +    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
 +        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
 +    </Attribute>
 +    
 +    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
 +        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
 +    </Attribute>
 +    
 +    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
 +        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
 +    </Attribute>
 +    
 +    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
 +
 +    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
 +
 +    <Attribute name="urn:oid:3.1.3.3.8" id="up2uid"/>
 +    
 +    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
 +
 +
 +    <!-- A persistent id attribute that supports personalized anonymous access. -->
 +    <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
 +        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
 +    </Attribute>
 +
 +    <!-- Second, an alternate decoder that will decode the incorrect form into the newer form. -->
 +    <!-- 
 +    <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="persistent-id">
 +        <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
 +    </Attribute>
 +    -->
 +    
 +    <!-- Third, the new version (note the OID-style name): -->
 +    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
 +        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
 +    </Attribute>
 +
 +    <!-- Fourth, the SAML 2.0 NameID Format: -->
 +    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
 +        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
 +    </Attribute>
 +    
 +    <!-- Some more eduPerson attributes, uncomment these to use them... -->
 +    <!--
 +    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
 +        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
 +    </Attribute>
 +    <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
 +    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
 +    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
 +    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
 +
 +    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
 +        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
 +    </Attribute>
 +    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
 +    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
 +    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
 +    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
 +
 +    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>
 +    
 +    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>
 +    
 +    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/>
 +    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/>
 +    -->
 +
 +    <!-- Examples of LDAP-based attributes, uncomment to use these... -->
 +    <!--
 +    <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
 +    <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
 +    <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
 +    <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
 +    <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
 +    <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
 +    <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
 +    <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
 +    <Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
 +    <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
 +    <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
 +    <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
 +    <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
 +    <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
 +    <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
 +    <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
 +    <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
 +    <Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
 +    <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
 +    <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
 +    <Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
 +    <Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
 +    <Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
 +    <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
 +    <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
 +    <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>
 +
 +    <Attribute name="urn:oid:2.5.4.3" id="cn"/>
 +    <Attribute name="urn:oid:2.5.4.4" id="sn"/>
 +    <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
 +    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
 +    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
 +    <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
 +    <Attribute name="urn:oid:2.5.4.12" id="title"/>
 +    <Attribute name="urn:oid:2.5.4.43" id="initials"/>
 +    <Attribute name="urn:oid:2.5.4.13" id="description"/>
 +    <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/>
 +    <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/>
 +    <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
 +    <Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/>
 +    <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
 +    <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/>
 +    <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/>
 +    <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/>
 +    <Attribute name="urn:oid:2.5.4.9" id="street"/>
 +    <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/>
 +    <Attribute name="urn:oid:2.5.4.17" id="postalCode"/>
 +    <Attribute name="urn:oid:2.5.4.8" id="st"/>
 +    <Attribute name="urn:oid:2.5.4.7" id="l"/>
 +    <Attribute name="urn:oid:2.5.4.10" id="o"/>
 +    <Attribute name="urn:oid:2.5.4.11" id="ou"/>
 +    <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
 +    <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
 +    -->
 +
 +</Attributes>
 +</code>
 +
 +**/etc/apache2/site-enabled/owncloud_ssl.conf**
 +<code>
 +<VirtualHost *:443>
 +
 +  DocumentRoot /var/www/owncloud
 +
 +  <Directory />
 +    Options FollowSymLinks
 +    AllowOverride None
 +  </Directory>
 +  <Directory /var/www/>
 +    Options Indexes FollowSymLinks
 + AllowOverride All
 + Order allow,deny
 + allow from all
 +  </Directory>
 +    # always fill env with shib variable
 +    <Location />
 +        AuthType shibboleth
 +        ShibRequestSetting requireSession false
 +        Require shibboleth
 +    </Location>
 +
 +  <Location /index.php/login>
 +    AuthType shibboleth
 +    ShibRequireSession On
 +    ShibUseHeaders Off
 +    ShibExportAssertion On
 +    require valid-user
 +  </Location>
 +
 +  ServerName oc.test.up2university.eu
 +  UseCanonicalName On
 +SSLCertificateFile /etc/letsencrypt/live/oc.test.up2university.eu/fullchain.pem
 +SSLCertificateKeyFile /etc/letsencrypt/live/oc.test.up2university.eu/privkey.pem
 +Include /etc/letsencrypt/options-ssl-apache.conf
 +</VirtualHost>
 +</code>