NIH  IDP Configuration and User support IDP Configuration: [Shibboleth 1.3]

To interoperate with NIH the following changes/additions need to be made to the Shibboleth configuration files (examples are from NIH/InCommon interop on a Shibboleth IdP running HA_Shib):

SAML signing cert

Please make sure that your IDP signing cert hasn't expired and it is loaded up to date in the InCommon metadata as our SP doesn't accept the assertions signed by an expired certificate.


 idp.xml:

Add the following RelyingParty (set signingCredential and nameMapping to proper values for your setup):

<RelyingParty name="https://federation.nih.gov/FederationGateway" signingCredential="incommon_cred" schemaHack="true" forceAttributePush="true" singleAssertion="true">

                <NameID nameMapping="hashib_mapping"/>

</RelyingParty>


<RelyingParty name="https://soadev.nih.gov/FederationGateway" signingCredential="incommon_cred" schemaHack="true" forceAttributePush="true" singleAssertion="true">

                <NameID nameMapping="hashib_mapping"/>

</RelyingParty>


resolver.xml:

Make sure that you are releasing both EPPN and OID as there is a bug in Shibb 1.3 which requires both of them to be released. If only OID is released; the scope parameter won't be added to the attribute value, that's the reason where both these attributes should be released.    (Send EPPN as non-smart scoped using its OID number as definition - ensure that you have urn:mace:dir:attribute-def:eduPersonPrincipalName defined elsewhere in resolver.xml as a smart scoped attribute.):

 <SimpleAttributeDefinition id="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" lifeTime="28800" sourceName="urn:mace:dir:attribute-def:eduPersonPrincipalName">

                <AttributeDependency requires="urn:mace:dir:attribute-def:eduPersonPrincipalName"/>

</SimpleAttributeDefinition>

 arp.site.xml:

<Rule>

<Target>

<Requester matchFunction="urn:mace:shibboleth:arp:matchFunction:exactShar">https://federation.nih.gov/FederationGateway</Requester>

</Target>

<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6">

<AnyValue release="permit"/>

</Attribute>

</Rule>

 <Rule>

<Target>

<Requester matchFunction="urn:mace:shibboleth:arp:matchFunction:exactShar">https://soadev.nih.gov/FederationGateway</Requester>

</Target>

<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6">

<AnyValue release="permit"/>

</Attribute>

</Rule>

More information is available from https://spaces.at.internet2.edu/display/SHIB/AlternateProfiles


FAQ:-

Q) Having concern that when an IDP releases this attribute "urn:oid:1.3.6.1.4.1.5923.1.1.1.6" to other Shibboleth SPs that expect a scoped attribute as SPs prefer oid format rather than name. If IDP doesn't scope the attribute and pass the scope as part of value itself it may break their apps.


A) No it won't break any application with other SPs as this attribute is profiled in that way.


https://mail.internet2.edu/wws/arc/shibboleth-users/2009-01/msg00156.html



Q) Isn't "urn:oid:1.3.6.1.4.1.5923.1.1.1.6" same as EPPN, eduPersonPrincipalName?


A) Yes both are same but the value for EEPN is not inline scope.


Attribute xmlns:typens="urn:mace:shibboleth:1.0" AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">

  <AttributeValue Scope="university.edu" xsi:type="typens:AttributeValueType">someone</AttributeValue>


Value for urn:oid:1.3.6.1.4.1.5923.1.1.1.6 is inline scope.

Attribute xmlns:typens="urn:mace:shibboleth:1.0" AttributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">

  <AttributeValue xsi:type="typens:AttributeValueType">someone@university.edu (mailto:someone@university.eduAttributeValue>


Since our SP cannot process the scope parameter we are requesting the universities to release both these (EPPN and urn:oid:1.3.6.1.4.1.5923.1.1.1.6) attributes in the above format.

At the minimum these are the attributes we are requesting:-

urn:mace:dir:attribute-def:eduPersonPrincipalName
urn:mace:dir:attribute-def:mail
urn:mace:dir:attribute-def:sn
urn:mace:dir:attribute-def:givenName
urn:oid:1.3.6.1.4.1.5923.1.1.1.6

  NOTE: You can release additional attributes in the rule by adding additional <Attribute> entries. What additional attributes you release should be determined on a case by case basis.  For NIH, we will request the following attributes will be required for all LOA1 Service Providers:

Given name of person -required as agreed upon  MOA w/InCommon - will not break an application


Surname of person -required as agreed upon MOA w/InCommon - will not break an application


LOA - assumed 1 - not required for LOA 1 apps - will certainly lead to lively discussions with Silver ...


Contact email address = mail attribute (internal MACE discussion) required as agreed upon MOA w/InCommon - may break an application


This should be an email address to allow contacting the person. It need not be an institution assigned address, but should be an address at which the person normally received work-related email. It will not be displayed to others except administrators and those people the person is choosing to collaborate with.



Unique identifier - required as agreed upon MOA w/InCommon - will break an application EPPN - required AND EPTID if available


Out of band - we would like to know if the institute recycles the EPPN



Institution Affiliation - required as agreed upon MOA w/InCommon - may break an application


As per suggestion of  MACE we have created an NIH Namespace(https://federation.nih.gov/FederationGateway/MACENamespaces/).  Below is a sample Actual namespace to be posted week of July 7th - top level only ...threw in a child attribute to give us something to think about ... will lead to larger organizational discussions later.

Example Values:-

Dartmouth                                     http://federation.nih.gov/participant/Dartmouth

Duke University                             http://federation.nih.gov/participant/DukeUniversity

Duke University Medical Center      http://federation.nih.gov/participant/DukeUniversity/MedicalCenter

Sloan Kettering                             http://federation.nih.gov/participant/SloanKettering

End User support:

We would like to gather some additional support information to assist both the application owner and/or end-user.  Our intent is to gather into a general support matrix that we hope will be useful for others.    Please provide answers to the questions listed below.  Any other relevant information you would like to provide is greatly appreciated.

  • Do most end users already have an account assigned to them? If not, how  is one assigned?
  • Would an end user know what their user account is?
  • Would they recognize it by another name such as NetID?
  • Do you have a support/helpdesk group we should route your users to?
    • What are their business hours and after hours contact information?
  • We understand that its possible that some of  your college/medical centers not know that there is an IDP in place.  If that is the case - whom should they contact?
  • How would you like us to direct/route end user support questions?



Please contact NIHISCSupport@mail.nih.gov for any questions regarding the interop.


Test Link after the completion of above steps:‐

  https://soadev.nih.gov/FederationGateway

 

Please contact NIHISCSupport@mail.nih.gov once you have successfully logged in.

  • No labels