edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] Controlling which SPs have authentication access via Shibboleth

From: Albert Wu <awu AT internet2.edu>
To: Daniel Muscat <daniel.muscat AT um.edu.mt>, "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
Subject: Re: [eduGAIN-discuss] Controlling which SPs have authentication access via Shibboleth
Date: Thu, 25 Apr 2024 19:22:04 +0000
Accept-language: en-US
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=internet2.edu; dmarc=pass action=none header.from=internet2.edu; dkim=pass header.d=internet2.edu; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6CjE2dx2hAmGG6wR9PrxBQ4NW/NIwUW6xkj6Vvj9Z78=; b=oUpyji2H5qXdJl5ZOKy6qHS1VtUbnRiHRB2Wt2DoYvsCIL/eC1plP8/tefLuvBEMKPgFbwRfNI2kh9LTJsUR4Q4uj/OUhm0sqWpn/DRNDm87fn0Io5eu1WWTltIaLaQycV7THmlOJTK2LjbGvMFMGtaDyBV07aKepPU41rHKPs878yJlDBhD5GqHrYC+ZatHRdxcU2u8fltiGJpBBr+bxZqKUVfFzkvNVeUdwc/69W9zMajdd/3euqQYo4quXKPg7OFDoKhiw3NlLB2F72hUFnHRndHQ0ZJ/7Wa426ZdBL5nbChSho035RNJ0muKnm35L2AWi6MjgEv2+7CoReAaNQ==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ic0pzdklhiu0b4+GflIjSMznjxFCDLt1zGFTX5YJxksTnJaIkxeFFJJJ26elCYYt3csF0wd8sdcB3+bgOAU4URo0+gkcPrbfKW1oP54OL4sLmZlbYA6ar+QSumZsswja1nLoorAfmhgGMF53v0boUXOWHnCbnqIFtK9XlG4an+DE+xY42DsrIF3I7mPrdwe8wGetk58bGs4spYfClYP1JCvtEENT3gdW7v8sFmtLKbjC5qt685ilH+F5bpyLEevBF77X3zz9sOmRYr6N9y3PiAvB7TexD2qbIQRGJ7BCjtUxOvZFkPaN6vGs2v9h0nNTypzJ6TcPmAVTsR/YtJ2b0w==
Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=internet2.edu;

Daniel,

If you are comfortable with editing XML, the attribute-filter.xml, attribute-resolver.xml family of configuration files in Shibboleth are where you configure SP integration and attribute release policies:

https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199501794/AttributeFilterConfiguration

https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199502864/AttributeResolverConfiguration

For those of us who rather use a graphical interface, a Shibboleth IdP UI developed by Unicon and Internet2 is in public beta:

Datasheet: https://www.unicon.net/hubfs/Shib_IdP_UI-datasheet.pdf

User Guide: https://spaces.at.internet2.edu/display/SMMU/Shibboleth+IdP+UI+User+Guide

albert

On 4/25/24, 11:13 AM, "edugain-discuss-request AT lists.geant.org" <edugain-discuss-request AT lists.geant.org> wrote:

Dear all

I have successfully integrated a Shibboleth IDP to function as an intermediary for Azure AD. I followed your previous recommendation, which was helpful, and now I have another question. I need a system that can manage the list of Service Providers allowed for authentication and enable me to modify the attributes to send. Could you please suggest what you usually recommend to your clients or use yourself?

Thanks in advance

Daniel Muscat

RicerkaNet Identity Federation/University of Malta

The contents of this email are subject to these terms.

[eduGAIN-discuss] Controlling which SPs have authentication access via Shibboleth, Daniel Muscat, 25-Apr-2024
- Re: [eduGAIN-discuss] Controlling which SPs have authentication access via Shibboleth, Albert Wu, 04/25/2024
- Re: [eduGAIN-discuss] Controlling which SPs have authentication access via Shibboleth, Peter Brand, 25-Apr-2024