You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 61 Next »

By default DSX Discovery Service lists all eduGAIN IdPs for user to select from, which is a list of several thousand IdPs. Showing all IdPs often is not desirable. The DSX Discovery Service allows to filter out IdPs so that only the relevant IdPs are shown in the list. This allows an SP admin to create a list (or several lists) specifically targeting the user base of his SP. If for nothing else, the filtering should be used to hide IdPs not meant to be shown for 'normal' end user i.e. IdPs having entity category http://refeds.org/category/hide-from-discovery.

Creating the filter using the DSX DS Filter Generator

The filter is generated using DSX Filter Generator.

DSX Filter Generator

The filter generator can create two types of filters, you may filter entities based on their SAML entity categories or based on IdP entityID values.

Allow and Deny lists of Entity Categories

You may create both, allow and deny, lists of entity categories.

  • If an "allow" list is defined, only IdPs matching at least one of the categories are visble, all others are hidden.
  • If a "deny" list is defined, all IdPs matching any of the categories on it are filtered out and thus are hidden.

Allow or Deny list of IdPs

You may create allow or deny list of IdPs.

  • If an "allow" list is defined, IdPs that are not on this list are filtered out and thus are hidden
  • If a "deny" list is defined, all IdPs on it are filtered out and thus are hidden

This example shows how to list all IdPs not tagged as hidden. This is the main use case to setup list of all eduGAIN IdPs.

Navigate to filter generator on https://dsx.edugain.org/filter

Click open the 'select entity categories' - accordion. You should now see all the possible entity categories to choose from in a grey box.

Move http://refeds.org/category/hide-from-discovery to red box.


At the bottom of the page you should see the resulting filter and its plaintext version.

Outcome

Show all IdPs not belonging to category http://refeds.org/category/hide-from-discovery

This example shows how to list only IdPs tagged with Research and Scholarship entity category.

Navigate to filter generator on https://dsx.edugain.org/filter

Click open the 'select entity categories' - accordion. You should now see all the possible entity categories to choose from in a grey box.

Move http://refeds.org/category/research-and-scholarship to green box. Move also http://id.incommon.org/category/research-and-scholarship.

At the bottom of the page you should see the resulting filter and its plaintext version.


This example shows how to list a specific set of IdPs.

Navigate to filter generator on https://dsx.edugain.org/filter.

Click open the 'select individual IdPs' - accordion. You should now see all the possible IdPs to select from.

Make sure that the radio - button 'Selected IdPs will be visible' is checked. Select the entities you want the user to pick the IdP from.

At the bottom of the page you should see the resulting filter and its plaintext version. Note that by picking individual IdPs you will easily end up with a large filter and you need to set it by reference.

Outcome

Show only IdPs https://idp.aalto.fi/idp/shibboleth, https://birk.wayf.dk/birk.php/wayf.au.dk and https://shibboleth.aber.ac.uk/shibboleth-TST.


Merging Two Filter Types

When both entity categories and IdP list filters are used together, the list shown comprises of IdPs not filtered out by categories filter with possible additions of IdP allow list or possible deductions of IdP deny list. The assumption is that SP creates the base of the rules using categories filtering and then possible exceptions to those rules by Allow/Deny lists of IdPs.


This example shows how to list all IdPs tagged with Research and Scholarship entity category and a specific set of IdPs.

Navigate to filter generator, https://dsx.edugain.org/filter.

Click open the 'select entity categories' - accordion. You should now see all the possible entity categories to choose from in a grey box.

Move http://refeds.org/category/research-and-scholarship to green box. Move also http://id.incommon.org/category/research-and-scholarship.

Click open the 'select individual IdPs' - accordion. You should now see all the possible IdPs to select from.

Make sure that the radio - button 'Selected IdPs will be visible' is checked. Select the "Aalto" entity (not belonging to mentioned categories at the time of the writing).

At the bottom of the page you should see the resulting filter and it's plaintext version.

Applying the Filter in the Discovery Request

The filter generated with the tool is appended as an HTTP GET parameter to the discovery request.  It can be set either by value or by reference. The maximum length for discovery request query parameters by some browsers is 512 bytes. If the filter is exceeding this value one should the filter by reference.

Filter by value - filter

https://dsx.edugain.org/wayf.php?filter=eyJhbGxvd0hvc3RlbCI6dHJ1ZSwiYWxsb3dIb3N0ZWxSZWciOnRydWV9Cg==
/etc/shibboleth/shibboleth2.xml
<SSO
    discoveryProtocol="SAMLDS"
    discoveryURL="https://dsx.edugain.org/wayf.php?filter=eyJhbGxvd0hvc3RlbCI6dHJ1ZSwiYWxsb3dIb3N0ZWxSZWciOnRydWV9Cg==">
    SAML2 SAML1
</SSO>
authsources.php
'default-sp' => array(
    'saml:SP',
    'entityID' => 'https://sp.example.com/simplesaml/',
    'idp' => NULL,
    'discoURL' => 'https://dsx.edugain.org/wayf.php?filter=eyJhbGxvd0hvc3RlbCI6dHJ1ZSwiYWxsb3dIb3N0ZWxSZWciOnRydWV9Cg==',
    'privatekey' => 'example.key'
),

Filter by reference - efilter

https://dsx.edugain.org/wayf.php?efilter=www.example.com/filter

where contents of www.example.com/filter would be

eyJhbGxvd0hvc3RlbCI6dHJ1ZSwiYWxsb3dIb3N0ZWxSZWciOnRydWV9Cg==
/etc/shibboleth/shibboleth2.xml
<SSO
    discoveryProtocol="SAMLDS"
    discoveryURL="https://dsx.edugain.org/wayf.php?efilter=www.example.com/filter">
    SAML2 SAML1
</SSO>
authsources.php
'default-sp' => array(
    'saml:SP',
    'entityID' => 'https://sp.example.com/simplesaml/',
    'idp' => NULL,
    'discoURL' => 'https://dsx.edugain.org/wayf.php?efilter=www.example.com/filter',
    'privatekey' => 'example.key'
),
  • No labels