Automating Attribute Release : Australian Access Federation Support Desk

Knowledge Base/Identity Provider

Automating Attribute Release

Bradley Beddoes
posted this on November 05, 2010 14:11

One of the most complex tasks an IDP administrator has to keep up with is the constantly changing set of services and attribute requirements each service has.

The Federation Registry tool automates this process in 2 ways:

1. Keeping metadata upto date in a standards compliant manner to advertise what IDP's offer and what SP's have been approved to recieve (This is useful for non Shibboleth, SAML 2.x MD specification compliant implementations)

2. Generation of Shibboleth 2.x compliant Attribute-Filter policies which are published over https and automatically consumed by IDP's. Using this approach your IDP is always in Sync.

Automating release for Shibboleth 2.x

To automate your shibboleth 2.x install undertake the following:

1. In Federation Registry view your IDP and access the tab 'Attribute Filter', make note of your unique policy URL.

2. Navigate to your IDP conf directory. Run wget (or likewise under windows)

wget --no-check-certificate <YOUR UNIQUE URL> -O AAF-attribute-filter.xml

Check that the file downloads correctly. Then make sure it is writeable by the user your IDP tomcat container executes as.

3. Edit the file services.xml to contain the following:

          
       <Service id="shibboleth.AttributeFilterEngine" configurationResourcePollingFrequency="1800000" 
       configurationResourcePollingRetryAttempts="10" xsi:type="attribute-afp:ShibbolethAttributeFilteringEngine">
               <ConfigurationResource  xsi:type="resource:FileBackedHttpResource"
			url="[YOUR UNIQUE URL]"
			file="/path/to/AAF-attribute-filter.xml" />
       </Service>

Here is an example of ours:

   
       <Service id="shibboleth.AttributeFilterEngine" configurationResourcePollingFrequency="1800000" 
       configurationResourcePollingRetryAttempts="10" xsi:type="attribute-afp:ShibbolethAttributeFilteringEngine">
               <ConfigurationResource  xsi:type="resource:FileBackedHttpResource"
			url="https://manager.test.aaf.edu.au/federationregistry/attributefilter/..."
			file="/usr/local/site/aaf/vho_shib_idp/conf/AAF-attribute-filter.xml" />
       </Service>

4. Restart your IDP (Tomcat container)

That's it. Every 30 minutes your IDP will automatically update its configuration ensuring your users are able to access all services within the federation.

PRO TIP: Every time you update your attribute-resolver.xml to support additional attributes be sure to advise the Federation by updating your IDP in the 'Attributes' tab within Federation Registry