University of Southern California Production Installation

USC runs a Shibboleth 2 server and so the definitions below relate to setup with Shibboleth 2 configuration files.

Attributes

As defined in attribute-resolver.xml

SchoolAssignedPersonID

Student Information Services feeds NSC behind the scenes and sends our unique 10-digit university identifier for each student.  In this definition the uscUSCID attribute is mapped in name only to the NSC SchoolAssignedPersonID.  No modification of this value or filtering was necessary.

<AttributeDefinition id="SchoolAssignedPersonID" xsi:type="ad:Simple" sourceAttributeID="uscUSCID">
    <Dependency ref="gds"/>
    <AttributeEncoder xsi:type="enc:SAML1String" name="SchoolAssignedPersonID" namespace="http://www.pesc.org/standards/attrs"/>
    <AttributeEncoder xsi:type="enc:SAML2String" name="SchoolAssignedPersonID" friendlyName="SchoolAssignedPersonID" />
</AttributeDefinition>
OPEID

Similar to Stanford, USC has several OPEIDs - one for the University in general, and others for some of the schools. NSC only needs the generic OPEID, so it was hardcoded in the IdP resolver configuration as a static data resolver.

<AttributeDefinition id="OPEID" xsi:type="ad:Simple">
    <Dependency ref="static-student-clearinghouse"/>
    <AttributeEncoder xsi:type="enc:SAML1String" name="OPEID" namespace="http://www.pesc.org/standards/attrs"/>
    <AttributeEncoder xsi:type="enc:SAML2String" name="OPEID" friendlyName="OPEID" />
</AttributeDefinition>
AttemptType

AttemptType is for use in testing.  In the static data connector, it is defined as the string "T" which indicates a testing attempt.  However, the release of this value is commented out in the attribute-filter.xml, and so it does not appear at all in the released data to NSC.  It is not needed in production.

<AttributeDefinition id="AttemptType" xsi:type="ad:Simple">
    <Dependency ref="static-student-clearinghouse"/>
    <AttributeEncoder xsi:type="enc:SAML1String" name="AttemptType" namespace="https://studentclearinghouse.org/attrs" />
    <AttributeEncoder xsi:type="enc:SAML2String" name="AttemptType" friendlyName="AttemptType" />
</AttributeDefinition>
Static Data Connector

The following static resolver is defined to always return the specified values to the above AttributeDefinitions.

<DataConnector id="static-student-clearinghouse" xsi:type="dc:Static">
    <dc:Attribute id="OPEID">
        <dc:Value>00132800</dc:Value>
    </dc:Attribute>
    <dc:Attribute id="AttemptType">
        <dc:Value>T</dc:Value>
    </dc:Attribute>
</DataConnector>

Attribute Filter

As defined in attribute-filter.xml

        <AttributeRule attributeID="SchoolAssignedPersonID">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>

        <AttributeRule attributeID="OPEID">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>

<!-- Use AttemptType only when testing -->
<!--
        <AttributeRule attributeID="AttemptType">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>
-->

Relying Party

As set in relying-party.xml:

<RelyingParty id="https://shibboleth.studentclearinghouse.org/shibboleth"
		provider="urn:mace:incommon:usc.edu"
		defaultSigningCredentialRef="incommon-creds">

        <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile"
                              includeAttributeStatement="true"
                              assertionLifetime="PT8H0M0.000S"
                              signResponses="conditional"
                              signAssertions="never" />

        <ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
                              includeAttributeStatement="true"
                              assertionLifetime="PT8H0M0.000S"
                              assertionProxyCount="0"
                              signResponses="conditional"
                              signAssertions="never"
                              encryptAssertions="conditional"
                              encryptNameIds="never" />

</RelyingParty>

NSC is transitioning to a 2.x SP, so both SSO Profiles should be configured. Note that as of this writing, Artifact binding and AttributeQuery are not supported.

entityID

While transitioning to production, NSC had to change their InCommon metadata to reference a different entityID.  Their SP was requesting data with one entityID, but their metadata indicated the other.  This has been synchronized now and NSC uses the one specified in their metadata:

https://shibboleth.studentclearinghouse.org/shibboleth

Entitlement

USC also sends entitlement, as it does to every SP whether they use it or not.  NSC does not use this field, but uses only the presence of the OPEID and student identifier to determine whether a user is authorized.  The student identifier must match one that has been entered in their database by the feed.  Only data for students will be released to NSC via the IdP.  All others may succeed in authenticating, but the attribute-filter.xml rule will block the data based on lack of entitlement in LDAP.  NSC will notice the lack of a USCID in the data and send such a user to an error page.

Login without WAYF

NSC has a method of avoiding the issue of having students locate their University in a WAYF.  They have available separate WAYF links, distinguishable by OPEID, which resolve through their SP directly to the relevant IdP.  NSC set up this link for use by USC students:

https://shibboleth.studentclearinghouse.org/WAYF/SelfService/OPEID/00132800

Administrator Access

Those who need to administer USC data with NSC such as registrars can do so with a separate login mechanism designed for that purpose.  No use of certain entitlements granting roles was used for this setup, though it would have been the preferred method if it had been supported by NSC.

  • No labels

1 Comment

  1. beall@usc.edu

    -deleted-