Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision |
en:services:it_security:aai:serviceowner [2024/01/31 16:19] – [Setting up your Service Provider (SP)] sdabbag | en:services:it_security:aai:serviceowner [2024/01/31 16:22] – [Setting up your Service Provider (SP)] sdabbag |
---|
| |
---- | ---- |
** Example: Installation Guidline** | ** Example: Installation Guideline** |
| |
| |
| |
| |
| ''/etc/shibboleth/attribute-map.xml'' |
| <code> |
| |
| <!-- |
| The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth |
| community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a |
| few exceptions for newer attributes where the name is the same for both versions. You will |
| usually want to uncomment or map the names for both SAML versions as a unit. |
| --> |
| |
| <!-- First some useful eduPerson attributes that many sites might use. --> |
| |
| <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn"> |
| <AttributeDecoder xsi:type="ScopedAttributeDecoder"/> |
| </Attribute> |
| |
| <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation"> |
| <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/> |
| </Attribute> |
| |
| <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation"> |
| <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/> |
| </Attribute> |
| |
| <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/> |
| |
| <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/> |
| |
| <Attribute name="urn:oid:3.1.3.3.8" id="up2uid"/> |
| |
| <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/> |
| |
| |
| <!-- A persistent id attribute that supports personalized anonymous access. --> |
| <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id"> |
| <AttributeDecoder xsi:type="ScopedAttributeDecoder"/> |
| </Attribute> |
| |
| <!-- Second, an alternate decoder that will decode the incorrect form into the newer form. --> |
| <!-- |
| <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="persistent-id"> |
| <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> |
| </Attribute> |
| --> |
| |
| <!-- Third, the new version (note the OID-style name): --> |
| <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id"> |
| <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> |
| </Attribute> |
| |
| <!-- Fourth, the SAML 2.0 NameID Format: --> |
| <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id"> |
| <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> |
| </Attribute> |
| |
| <!-- Some more eduPerson attributes, uncomment these to use them... --> |
| <!-- |
| <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation"> |
| <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/> |
| </Attribute> |
| <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/> |
| <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/> |
| <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/> |
| <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/> |
| |
| <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation"> |
| <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/> |
| </Attribute> |
| <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/> |
| <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/> |
| <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/> |
| <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/> |
| |
| <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/> |
| |
| <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/> |
| |
| <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/> |
| <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/> |
| --> |
| |
| <!-- Examples of LDAP-based attributes, uncomment to use these... --> |
| <!-- |
| <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/> |
| <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/> |
| <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/> |
| <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/> |
| <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/> |
| <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/> |
| <Attribute name="urn:mace:dir:attribute-def:title" id="title"/> |
| <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/> |
| <Attribute name="urn:mace:dir:attribute-def:description" id="description"/> |
| <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/> |
| <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/> |
| <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/> |
| <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/> |
| <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/> |
| <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/> |
| <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/> |
| <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/> |
| <Attribute name="urn:mace:dir:attribute-def:street" id="street"/> |
| <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/> |
| <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/> |
| <Attribute name="urn:mace:dir:attribute-def:st" id="st"/> |
| <Attribute name="urn:mace:dir:attribute-def:l" id="l"/> |
| <Attribute name="urn:mace:dir:attribute-def:o" id="o"/> |
| <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/> |
| <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/> |
| <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/> |
| |
| <Attribute name="urn:oid:2.5.4.3" id="cn"/> |
| <Attribute name="urn:oid:2.5.4.4" id="sn"/> |
| <Attribute name="urn:oid:2.5.4.42" id="givenName"/> |
| <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/> |
| <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/> |
| <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/> |
| <Attribute name="urn:oid:2.5.4.12" id="title"/> |
| <Attribute name="urn:oid:2.5.4.43" id="initials"/> |
| <Attribute name="urn:oid:2.5.4.13" id="description"/> |
| <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/> |
| <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/> |
| <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/> |
| <Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/> |
| <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/> |
| <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/> |
| <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/> |
| <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/> |
| <Attribute name="urn:oid:2.5.4.9" id="street"/> |
| <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/> |
| <Attribute name="urn:oid:2.5.4.17" id="postalCode"/> |
| <Attribute name="urn:oid:2.5.4.8" id="st"/> |
| <Attribute name="urn:oid:2.5.4.7" id="l"/> |
| <Attribute name="urn:oid:2.5.4.10" id="o"/> |
| <Attribute name="urn:oid:2.5.4.11" id="ou"/> |
| <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/> |
| <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/> |
| --> |
| |
| </Attributes> |
| </code> |
| |
| **/etc/apache2/site-enabled/owncloud_ssl.conf** |
| <code> |
| <VirtualHost *:443> |
| |
| DocumentRoot /var/www/owncloud |
| |
| <Directory /> |
| Options FollowSymLinks |
| AllowOverride None |
| </Directory> |
| <Directory /var/www/> |
| Options Indexes FollowSymLinks |
| AllowOverride All |
| Order allow,deny |
| allow from all |
| </Directory> |
| # always fill env with shib variable |
| <Location /> |
| AuthType shibboleth |
| ShibRequestSetting requireSession false |
| Require shibboleth |
| </Location> |
| |
| <Location /index.php/login> |
| AuthType shibboleth |
| ShibRequireSession On |
| ShibUseHeaders Off |
| ShibExportAssertion On |
| require valid-user |
| </Location> |
| |
| ServerName oc.test.up2university.eu |
| UseCanonicalName On |
| SSLCertificateFile /etc/letsencrypt/live/oc.test.up2university.eu/fullchain.pem |
| SSLCertificateKeyFile /etc/letsencrypt/live/oc.test.up2university.eu/privkey.pem |
| Include /etc/letsencrypt/options-ssl-apache.conf |
| </VirtualHost> |
| </code> |