Kopierad till ny Wiki
Många universitet och högskolor som är medlemmar i Swamid använder attribut i norEduPerson, norEduPersonOrg och norEduPersonOrgUnit (http://gnomis.cvs.sourceforge.net/viewvc/gnomis/norEdu/). Det är lämpligt att även dessa attributnamn används för SAML WebSSO. Nedan finns definitioner för attributen.
Konfiguration för Shibboleth
Konfigurationerna under denna sida fungerar endast för Shibboleth 2 eller senare. För simpleSAMLphp och ADFS2 kan konfigurationsexemplen endast användas som inspiration.
Följande definitioner krävs i attribute-map.xml för en Service Provider:
<Attribute name="urn:mace:dir:attribute-def:norEduPersonLegalName" id="norEduPersonLegalName"/> <Attribute name="urn:mace:dir:attribute-def:norEduPersonNIN" id="norEduPersonNIN"/> <Attribute name="urn:mace:dir:attribute-def:norEduPersonLIN" id="norEduPersonLIN"/> <Attribute name="urn:mace:dir:attribute-def:norEduOrgAcronym" id="norEduOrgAcronym"/> <Attribute name="urn:mace:dir:attribute-def:norEduPersonBirthDate" id="norEduPersonBirthDate"/> <Attribute name="urn:mace:dir:attribute-def:norEduOrgUniqueIdentifier" id="norEduOrgUniqueIdentifier"/> <Attribute name="urn:mace:dir:attribute-def:norEduOrgUnitUniqueIdentifier" id="norEduOrgUnitUniqueIdentifier"/> <Attribute name="urn:mace:dir:attribute-def:norEduOrgNIN" id="norEduOrgNIN"/> <Attribute name="urn:mace:dir:attribute-def:norEduOrgUniqueNumber" id="norEduOrgUniqueNumber"/> <Attribute name="urn:mace:dir:attribute-def:norEduOrgUnitUniqueNumber" id="norEduOrgUnitUniqueNumber"/> <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.10" id="norEduPersonLegalName"/> <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.5" id="norEduPersonNIN"/> <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.4" id="norEduPersonLIN"/> <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.6" id="norEduOrgAcronym"/> <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.3" id="norEduPersonBirthDate"/> <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.7" id="norEduOrgUniqueIdentifier"/> <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.8" id="norEduOrgUnitUniqueIdentifier"/> <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.12" id="norEduOrgNIN"/> <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.1" id="norEduOrgUniqueNumber"/> <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.2" id="norEduOrgUnitUniqueNumber"/>
Följande definitioner krävs i attribute-resolver.xml för en Identity Provider:
Alla definitioner i nedanstående ruta förutsätter att du kan läsa attributen direkt ur LDAP genom en datakonnektor som heter myLDAP.
<!-- Schema: norEdu* attributes --> <resolver:AttributeDefinition id="norEduPersonLegalName" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="norEduPersonLegalName"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:norEduPersonLegalName" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.2428.90.1.10" friendlyName="norEduPersonLegalName" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="norEduPersonNIN" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="norEduPersonNIN"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:norEduPersonNIN" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.2428.90.1.5" friendlyName="norEduPersonNIN" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="norEduPersonLIN" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="norEduPersonLIN"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:norEduPersonLIN" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.2428.90.1.4" friendlyName="norEduPersonLIN" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="norEduOrgAcronym" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="norEduOrgAcronym"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:norEduOrgAcronym" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.2428.90.1.6" friendlyName="norEduOrgAcronym" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="norEduPersonBirthDate" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="norEduPersonBirthDate"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:norEduPersonBirthDate" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.2428.90.1.3" friendlyName="norEduPersonBirthDate" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="norEduOrgUniqueIdentifier" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="norEduOrgUniqueIdentifier"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:norEduOrgUniqueIdentifier" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.2428.90.1.7" friendlyName="norEduOrgUniqueIdentifier" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="norEduOrgUnitUniqueIdentifier" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="norEduOrgUnitUniqueIdentifier"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:norEduOrgUnitUniqueIdentifier" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.2428.90.1.8" friendlyName="norEduOrgUnitUniqueIdentifier" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="norEduOrgNIN" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="norEduOrgNIN"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:norEduOrgNIN" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.2428.90.1.12" friendlyName="norEduOrgNIN" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="norEduOrgUniqueNumber" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="norEduOrgUniqueNumber"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:norEduOrgUniqueNumber" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.2428.90.1.1" friendlyName="norEduOrgUniqueNumber" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="norEduOrgUnitUniqueNumber" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="norEduOrgUnitUniqueNumber"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:norEduOrgUnitUniqueNumber" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.2428.90.1.2" friendlyName="norEduOrgUnitUniqueNumber" /> </resolver:AttributeDefinition>
Observera! Konfigurationen förutsätter att personnummer finns lagrat i din katalog (LDAP) med attributet norEduPersonNIN enligt skatteverkets rekommendation, för mer info se norEduPersonNIN och Svenska Personnummer .