Versions Compared

Old Version 2

changes.mady.by.user Andrijana Todosijevic

Saved on

compared with

New Version Current

changes.mady.by.user Thomas Lenggenhager

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: fixes second instance of the same typo

...

Shibboleth SP provides a hook for performing attribute checks for required attributes and a attribute extractor for fetching IdP metadata attributes where the login was performed. The end result (from the user's perspective) then is an error message like shown below in case the user's Identity Provider did not release sufficiently user information to the service:

Image Modified


One also finds some further explanation and a quick demo in this screen cast.

...

In context: /etc/shibboleth/shibboleth2.xml -> ApplicationDefault ApplicationDefaults element

Code Block
languagetext
<ApplicationDefaults entityID="https://<HOST>/shibboleth"
  REMOTE_USER="eppn persistent-id targeted-id"
  signing="front" encryption="false"
  sessionHook="/Shibboleth.sso/AttrChecker"
  metadataAttributePrefix="Meta-" >

...

/etc/shibboleth/shibboleth2.xml -> ApplicationDefault ApplicationDefaults element

Code Block
languagetext
<!-- Extracts support information for IdP from its metadata. -->
<AttributeExtractor type="Metadata" errorURL="errorURL" DisplayName="displayName"
                    InformationURL="informationURL" PrivacyStatementURL="privacyStatementURL"
                    OrganizationURL="organizationURL">
  <ContactPerson id="Support-Contact"  contactType="support" formatter="$EmailAddress" />
  <Logo id="Small-Logo" height="16" width="16" formatter="$_string"/>
</AttributeExtractor>

...

You can also update attrChecker.html with a Perl-script (attrChecker.pl). The script extracts the required attributes from the Attribute Checker handler element in shibboleth2.xml and modifies attrChecker.html accordingly (Note that script doesnt work with complex scenarios using AND and OR operators, it uses only "attributes" attribute from the handler). If you customize attrChecker.html and execute the Perl-script, make a backup of attrChecker.html before executing attrChecker.pl. If the script doesn't find the tags it needs for replacing content, it might break the template. The script updates the PixelTracking link by replacing shibboleth tags between miss= and following ", attribute table rows between "TableStart" and "TableEnd" and after line "The attributes that were not released to the service are:" until the next empty line.

  • attrChecker.html and attrChecker.pl script can be downloaded from the GitHub

...