Attribute Query

Once an organisation is migrated to SWITCH edu-ID, its Identity Provider (IdP) must support SAML attribute queries coming from the edu-ID service to link user accounts with their organisation and to maintain those affiliations up to date (alternatively the organisation's user directory could also be accessed directly instead of using SAML Attrbute Queries). SAML Attribute queries from edu-ID service use the swissEduID identifier attribute as identifier (SAML NameID) and the configuration is required on a Shibboleth IdP to respond to these queries. This page describes the necessary changes to implement this special configuration.

Configuration

In file /opt/shibboleth-idp/conf/c14n/subject-c14n.xml:

  1. Add the OID of the attribute swissEduID attribute to the list bean shibboleth.NameTransformFormats.
  2. Add the entityID of SPs allowed to do queries with a swissEduID to the bean shibboleth.NameTransformPredicate. The three entityIDs mentioned below are used by edu-ID systems.
...
    <!-- What SAML NameID formats do you want to support direct transformations for? -->
    <util:list id="shibboleth.NameTransformFormats">
        ...
        <value>urn:oid:2.16.756.1.2.5.1.1.13</value>
    </util:list>

    <!--
    Under what conditions should direct NameID mapping be allowed? By default, never.
    Any condition can be used here; the example is suitable for enumerating a number of SPs to allow.
    -->
    <bean id="shibboleth.NameTransformPredicate" parent="shibboleth.Conditions.RelyingPartyId">
        <constructor-arg>
            <list>
                <value>https://eduid.ch/shibboleth</value>
                <!-- Comment out the line below once in production -->
                <value>https://test.eduid.ch/shibboleth</value>
            </list>
        </constructor-arg>
    </bean>
...

In file /opt/shibboleth-idp/conf/ldap.properties:

  1. Update the attribute resolver LDAP filter to be able to find entries by swissEduID (or whatever field is used to store the value of the swissEduID identifier attribute).
idp.attribute.resolver.LDAP.searchFilter = (|(swissEduID=$resolutionContext.principal)(uid=$resolutionContext.principal))

Testing

In order to test that an IdP is correctly configured, you can use the attribute resolver handler of an authorized Shibboleth SP to send an attribute query with a swissEduId. Note the parameters:

  • format is the OID of the swissEduId attribute
  • entityID is the IdP to test
  • nameId is the swissEduId to look up.
curl --get "https://test.eduid.ch/Shibboleth.sso/AttributeQuery" \
--data-urlencode "format=urn:oid:2.16.756.1.2.5.1.1.13" \
--data-urlencode "entityID=https://test.idph.switch.ch/idp/shibboleth" \
--data-urlencode "nameId=00007e17-9f1a-4635-bf1c-c285dd7679bf" 

If the query is successful, the output will contain personal attributes belonging to the searched account.

{
  "surname": [
    "Staff" 
  ],
  "givenName": [
    "Test3" 
  ],
  "mail": [
    "test3.staff@example.org" 
  ],
  "affiliation": [
    "member",
    "staff" 
  ],
  "homeOrganization": [
    "test.idph.switch.ch" 
  ],
  "uniqueID": [
    "7622788@example.org" 
  ],
  ...
}