Attribute Query

Some time before or at latest when an organisation is migrating to the SWITCH edu-ID, its Identity Provider (IdP) must support SAML attribute queries coming from the edu-ID service to link user accounts with their organisation and to maintain those affiliations up-to-date. SAML Attribute queries from edu-ID service use the swissEduPersonUniqueID attribute as identifier (SAML NameID). This requires a small configuration change on the Shibboleth IdP so it can respond to queries using this identifier. This page describes the necessary changes to implement this special configuration.

Configuration

In file /opt/shibboleth-idp/conf/c14n/subject-c14n.xml:

  1. Add the OID of the attribute swissEduPersonUniqueID attribute to the list bean shibboleth.NameTransformFormats.
  2. Add the entityID of SPs allowed to do queries with a swissEduPersonUniqueID to the bean shibboleth.NameTransformPredicate. The two entityIDs mentioned below are used by edu-ID systems.
...
    <!-- What SAML NameID formats do you want to support direct transformations for? -->
    <util:list id="shibboleth.NameTransformFormats">
        ...
        <value>urn:oid:2.16.756.1.2.5.1.1.1</value>
    </util:list>

    <!--
    Under what conditions should direct NameID mapping be allowed? By default, never.
    Any condition can be used here; the example is suitable for enumerating a number of SPs to allow.
    -->
    <bean id="shibboleth.NameTransformPredicate" parent="shibboleth.Conditions.RelyingPartyId">
        <constructor-arg>
<!-- EntityIDs for SPs allowed to query using the swissEduPersonUniqueID as NameID -->
<list> <value>https://eduid.ch/shibboleth</value> <!-- Comment out the line below once in production --> <value>https://test.eduid.ch/shibboleth</value> </list> </constructor-arg> </bean> ...

In file /opt/shibboleth-idp/conf/ldap.properties:

  1. Update the attribute resolver LDAP filter to be able to find entries by swissEduPersonUniqueID (or whatever field is used to store the value of the swissEduPersonUniqueID identifier attribute). If this attribute is not stored as field in your user directory but is generated by the IdP on the fly, please get in touch with SWITCH to discuss what can be done about this.
idp.attribute.resolver.LDAP.searchFilter = (|(swissEduPersonUniqueID=$resolutionContext.principal)(uid=$resolutionContext.principal))

Testing

In order to test that an IdP is correctly configured, you can use the attribute resolver handler of an authorized Shibboleth SP to send an attribute query with a swissEduPersonUniqueId. Note the parameters:

  • format is the OID of the swissEduPersonUniqueId attribute
  • entityID is the IdP to test
  • nameId is the swissEduPersonUniqueId to look up.
curl --get "https://test.eduid.ch/Shibboleth.sso/AttributeQuery" \
--data-urlencode "format=urn:oid:2.16.756.1.2.5.1.1.1" \
--data-urlencode "entityID=https://test.idph.switch.ch/idp/shibboleth" \
--data-urlencode "nameId=234dsd23489@ethz.ch" 

If the query is successful, the output will contain personal attributes belonging to the searched account.

{
  "surname": [
    "Staff" 
  ],
  "givenName": [
    "Test3" 
  ],
  "mail": [
    "test3.staff@example.org" 
  ],
  "affiliation": [
    "member",
    "staff" 
  ],
  "homeOrganization": [
    "test.idph.switch.ch" 
  ],
  "uniqueID": [
    "7622788@example.org" 
  ],
  ...
}