Skip to content
master
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
doc
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

README.txt

Shibboleth IdP User Agent Attribute Extension
=============================================
This plugin captures the user agent IP address at authentication and then 
allows that information to trigger the association of certain attributes/values
during attribute resolution time.

Requirements
=============================================
This plugin requires Shibboleth IdP v2.3.x


Installation/Upgrade Instructions
=============================================
The following steps must be performed during the initial installation of this
plugin and at every IdP upgrade.

1. Shutdown the container running the IdP.

2. Place the ua-attribute-idp-ext JAR file, located in this bundle, in to the 
   IdP distribution's lib directory
   
3. Edit the web.xml file, located in the src/main/webapp/WEB-INF directory of the
   IdP distribution, as follows:
   - locate the definition for the Servlet named 'UsernamePasswordAuthHandler'
     this is found around line 100 of the default web.xml file
   - replace the value of the <servlet-class> element with:
     uk.org.ukfederation.uaattribute.authn.UserAgentUsernamePasswordLoginServlet

4. Run the IdP's install script

5. Configure the attribute resolver as described below.  This step is only performed
   during initial installation.

6. Restart the container running the IdP

Configuration Instructions
=============================================
The following changes to the IdP's attribute-resolver.xml configuration file 
only need to be performed the first time you install the plugin, after that they 
will carry over through upgrades.

1. Add the following namespace declaration to the root AttributeResolver element:
   xmlns:uadc="http://ukfederation.org.uk/schemas/uaattribute/resolver"
   
2. Add the following schema locations to the existing whitespace-separated list:
   http://ukfederation.org.uk/schemas/uaattribute/resolver classpath:/schema/ua-attribute-resolver.xsd
   
3. Define a new data connector as follows, filling in the UNIQUE_ID and Mapping
   elements (described in the following section):
   <resolver:DataConnector id="UNIQUE_ID" xsi:type="uadc:UserAgentMappedAttributes">
      <uadc:Mapping cidrBlock="...." attributeId="..." attributeValue="..." />
   </resolver:DataConnector>

4. Create one attribute definition per attribute generated by the data 
   connector.  Only attributes created by attribute definitions may be
   released to a service provider.

CIDR Block -> Attribute Mappings
=============================================
This plugin creates attributes by checking if the IP address of the user agent,
at the time of authentication, matches a given range of IP addresses identified
by CIDR blocks.  The Mapping element noted in step 3, in the section above,
requires, and only accepts, following XML attributes:
* cidrBlock - the CIDR block (IPv4 or IPv6) that triggers the mapping
* attributeId - the ID of the IdP attribute generated if the mapping is triggered
* attributeValue - the value added to the IdP attribute if the mapping is triggered

You can have more than one mapping rule with the same CIDR block.  This allows
you to create multiple attributes for the given CIDR block.  You can also specify
a given attribute ID more than once in order to generate multiple values
for the ID.

About

User Agent attribute extension for the Shibboleth IdP

Resources

License

Packages

No packages published

Languages

You can’t perform that action at this time.