From 333786a6ff05aef195fee086a7ddb1f510a9c01d Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Fri, 3 Apr 2015 22:21:07 +0200 Subject: [PATCH] sync-metadata: load AttributeConsumingService sections of SAML 2.0 metadata files (fixes #6847) --- sync-metadata_script.rst | 114 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 108 insertions(+), 6 deletions(-) diff --git a/sync-metadata_script.rst b/sync-metadata_script.rst index f2ab103..4a11887 100644 --- a/sync-metadata_script.rst +++ b/sync-metadata_script.rst @@ -20,6 +20,82 @@ Use the following command:: path_to_project/authentic2$ python manage.py sync-metadata file_name [options] +Configuration of attributes +=========================== + +If a service provider has AttributeConsumingService nodes in its +SPSSODescriptor then we create an attribute declaration for each declared +attribute. If the attribute is optional, the attribute declaration is created +disabled. + +Currently it only supports the LDAP and the LDAP attribute profile of SAML, +i.e. SAML attribute names must be LDAP attributes oid, the NameFormat must be +URI, and an LDAP server must declared so that LDAP attributes can be resolved. +Authentic2 contains a databases of the more common LDAP schemas to help the +resolution of attributes OIDs. + +Example of an AttributeConsumingService node:: + + + Université Paris 1 - cours en ligne + + Cours en ligne de l'université + Paris 1 Panthéon - Sorbonne (LMS Moodle) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +If you do not want the attribute declarations to be automatically created pass +the option `--dont-load-attribute-consuming-service` to the `sync-metadata` command. + Options ======= @@ -43,11 +119,9 @@ Options **For reloading, a source can only be associated with a unique metadata file. This is due to the fact that all providers of a source not found in - the metadata file are removed.** + the metadata file are removed.** :: -:: - - path_to_project/authentic2$ python manage.py sync-metadata file_name --source=french_federation + path_to_project/authentic2$ python manage.py sync-metadata file_name --source=french_federation * sp-policy @@ -73,9 +147,9 @@ Options of the script with this option. The policy is then associated to all service providers created. -:: + :: - path_to_project/authentic2$ python manage.py sync-metadata file_name --idp-policy=idp_policy_name + path_to_project/authentic2$ python manage.py sync-metadata file_name --idp-policy=idp_policy_name * delete @@ -88,3 +162,31 @@ Options * ignore-errors If loading of one EntityDescriptor fails, continue loading + +* reset-atributes + + When loading shibboleth attribute filter policies, start by removing all + existing SAML attributes for each provider, beware that it will delete any + customization of the attribute policy for each service provider. + +* dont-load-attribute-consuming-service + + Prevent loading of the attribute policy from AttributeConsumingService nodes + in the metadata file. + +* shibboleth-attribute-filter-policy + + Path to a file containing an Attribute Filter Policy for the + Shibboleth IdP, that will be used to configure SAML attributes for + each provider. The following schema is supported:: + + + + [ + + + + ]* + + + Any other kind of attribute filter policy is unsupported.