You are located in service: Identity Management

Restricting the Selection of Identity Providers

Restricting the Selection of Identity Providers

 Detailinformation

With the update to Identity Provider 3.3, the RWTH Aachen central Discovery Service (DS) is no longer available. To limit the choice of identity providers in the future, you can use the Shibboleth Embedded Discovery Service (EDS).

Embedded Discovery Service (EDS)

The EDS is a set of Java scripts that can be embedded in any HTML pages and works with the discovery feed generated by the Shibboleth SP from version 2.4 (/Shibboleth.sso/DiscoFeed). This is (IdP) data in JSON format that is generated from the metadata available via one or more MetadataProvider elements - after applying any MetadataFilters, e.g. a whitelist of entity IDs of authorized IdPs or an EntityCategory. In this way, an entity selection can be realized with little effort, which only contains IdPs of entities whose users should have access to the service protected by the service provider (SP).

The official documentation for the EDS can be found in the Shibboleth Wiki.

Here is a short guide on how to install the EDS yourself:

  • Download under http://shibboleth.net/downloads/embedded-discovery-service/latest/
  • Only the following files from the downloaded ZIP file are required: idpselect_config.js, idpselect.js und ggf. index.html
  • Copy files to the web server directory (usually under /var/www/html)
  • Adjust index.html to your own requirements or create a separate page in which the JavaScript calls are embedded. See the comments in index.html and the official documentation
    •  For the <noscript> element, the link to a central WAYF/DS is recommended; documentation on the central Discovery Services of the DFN can be found here
  • Specific adjustments must be made in idpselect_config.js and, if necessary, idpselect.css, see the comments in the relevant files and the official documentation

Configuration of the Service Provider (usually under /etc/shibblet/shibboleth2.xml):

<SSO discoveryProtocol="SAMLDS" discoveryURL="https://sp.uni-beispiel.de/ds/index.html">
  SAML2
</SSO>
  
<!-- usually in combination with a MetadataFilter: -->
  
<MetadataProvider type="Chaining">
   <MetadataProvider type="XML"
         uri="https://www.aai.dfn.de/fileadmin/metadata/DFN-AAI-Basic-metadata.xml"
         backingFilePath="DFN-AAI-Basic-metadata.xml"
         minRefreshDelay="240" reloadInterval="300">
      <MetadataFilter type="RequireValidUntil" maxValidityInterval="604800"/>
      <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" />
      <MetadataFilter type="Whitelist">
         <Include>https://idp.uni-beispiel1.de/idp/shibboleth</Include>
         <Include>https://idp.uni-beispiel2.de/idp/shibboleth</Include>
         <Include>https://idp.uni-beispiel3.de/idp/shibboleth</Include>
      </MetadataFilter>
   </MetadataProvider>
   <!-- further MetadataProvider elements if required -->
</MetadataProvider>

Configuration of the Web Server

Add to VHost configuration:

Alias /ds /var/www/html/
<Location /ds>
  Require all granted
</Location>

last changed on 08/27/2024

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License