-
Notifications
You must be signed in to change notification settings - Fork 0
Proof of Concept
The Attribute Mapper in the PoC setup requires configuration and additional services deployed before a successful demo is possible.
The following services need to be deployed and configured correctly in the service registry:
- EngineBlock 5.x branch with attribute aggregation feature
- Attribute Aggregation
- PDP Authz
- eduProxy SP
- iDIN IdP
- Attribute Mapper
Ensure the eduProxy SP is configured for attribute aggregation and authorization policy enforcement by enabling the following checks in service registry:
- coin:attribute_aggregation_required
- coin:policy_enforcement_decision_required
Ensure the eduProxy SP can only access the iDIN IdP and vice versa. Ensure the eduProxy receives the urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified nameID and add https://eduproxy.test2.surfconext.nl/saml/SSO as the AssertionConsumerService.
Add an attribute aggregation for the eduProxy SP and at a minimal add the iDIN Attribute Authority with all attributes.
Add a PDP Policy Authorization for the eduProxy and iDIN IdP that requires the attribute urn:mace:dir:attribute-def:isMemberOf with value surf.nl to be present. Use the default Permit setting and add the https://attribute-mapper.test2.surfconext.nl URL to the meaningful error description.
The eduProxy has a test endpoint that will trigger an SAML Authn request to the configured IdP (e.g. SURFconext). The aggregated email address is shown with all other SAML attributes.