...
Spring <bean> elements creating Yale configured Spring Bean objects have to go somewhere. The two obvious places to put them are global.xml and services.xml. We put them at the end of the services.xml file. The current use is to create "predicates" that return true or false based on whether the application the user is logging into is in a list of EntityIDs.
Relying Party
In Shibboleth 2 the relying-party.xml file also included MetadataProviders. In Shib 3 there is a separate file for metadata-providers.
Our Shibboleth 3 relying-party.xml file configures the same defaults that were configured with a different XML syntax in our Shib 2 configuration file. There is one really important statement:
| Code Block |
|---|
<bean parent="SAML2.SSO" p:postAuthenticationFlows="%{idp.postauthenticationflows}"
p:encryptAssertions="false" p:encryptNameIDs="false" p:encryptAttributes="false" /> |
Our exclusive use of Shibboleth is Single SignOn (SSO), so this is pretty much the only statement that gets used. The parameters tell Shibboleth that by default (unless changed by Metadata) we don't encrypt the data in the SAML statements. That follows common practice where vendors use SSL/TLS to achieve privacy and encrypting attributes makes debugging problems impossible.
The postAuthenticationFlows parameter currently has one possible interesting value. If it is set to "attribute-release" then this triggers the Consent dialog, where the user is given a list of attributes that are gooing to be released and has a chance to approve them. Currently we turn on Consent for DEV (because it makes debugging easier) and for Anonymous Relying Parties (where we get a SAML Request from an EntityID for which we have no Metadata).
In the near future:
- We may want to turn off Anonymous Relying Parties. We need to confirm that Metadata has been generated for every party we currently support in production. Scanning Shib 3 logs will give us a chance to look for any remaining legitimate Anonymous RPs and configure them properly. Currently we turn Consent on for Anonymous.
Metadata Providers
The metadata-providers.xml file contains almost exactly the same content as Shibboleth 2. The only change is that Refresh periods have to be expressed as "PT5M" (which means check every 5 minutes) where as in Shibboleth 2 the same thing could be expressed as an integer number of milliseconds.
Access Control (to Status Page)
Currently the only form of Access Control is by IP address. We modified the conf/access-control.xml file to allow IP address ranges to be inserted from a property file value
p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', %{allow.status}} }"
So if the properties files have a line of the form:
allow.status='172.28.187.0/24','172.17.40.0/24'
then a subnet in the DevOps area of ITS and a subnet in the SPS_DC VPN are able to display the status page. This will be expanded on request.
Logo and Footer
In a few messages we replace a dummy logo with a Yale ITS logo. The image is in webapp/images/YaleITS.png and it is used because of some lines in messages/error-messages.properties:
idp.logo = /images/YaleITS.png
idp.logo.alt-text = YaleITS
idp.message = An unidentified error occurred.
idp.footer = Yale University Shibboleth Identity Provider