学校IdP取消某个SP访问权限的配置方法

        学校加入CARSI后,一般建议管理员老师自动保持本地IdP metadata文件和carsi metadata种子文件https://www.carsi.edu.cn/carsimetadata/carsifed-metadata.xml同步,以确保可以访问最近加入CARSI的SP。这一操作,会自动加载CARSI联盟里面所有SP的metadata信息。针对有学校IdP管理员提出希望可以设置SP黑名单的需求,可参照如下方法进行。此设置适用于将学校没有采购的SP,也适用于已经采购但不希望本校用户采用CARSI方式访问的SP。

        请访问https://www.carsi.edu.cn/carsimetadata/carsifed-metadata.xml查询已加入CARSI的数据库商SP的entityid。

        注意:完成如下配置后,本校用户将无法通过IdP支持来自黑名单SP的认证,本校用户无法通过CARSI方式,访问该SP的所有服务。请谨慎配置。

[root@www ~]# vi /opt/shibboleth-idp/conf/metadata-providers.xml
在MetadataProvider里面新增
<MetadataFilter xsi:type="Predicate" direction="exclude" removeEmptyEntitiesDescriptors="true">
    <Entity>不需要加载的SP1的entityid</Entity>
    <Entity>不需要加载的SP2的entityid</Entity>
</MetadataFilter>


metadata-providers.xml完整配置参考

<?xml version="1.0" encoding="UTF-8"?>
<!-- This file is an EXAMPLE metadata configuration file. -->
<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
    xmlns="urn:mace:shibboleth:2.0:metadata"
    xmlns:resource="urn:mace:shibboleth:2.0:resource"
    xmlns:security="urn:mace:shibboleth:2.0:security"
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
                        urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd 
                        urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
                        urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">

    <!-- ========================================================================================== -->
    <!--                             Metadata Configuration                                         -->
    <!--                                                                                            -->
    <!--  Below you place the mechanisms which define how to load the metadata for SP(s) you will   -->
    <!--  provide service to.                                                                       -->
    <!--                                                                                            -->
    <!--  Two examples are provided.  The Shibboleth Documentation at                               -->
    <!--  https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration                -->
    <!--  provides more details.                                                                    --> 
    <!--                                                                                            -->
    <!--  NOTE.  This file SHOULD NOT contain the metadata for this IdP.                            -->
    <!-- ========================================================================================== -->

    <!--
    Example HTTP metadata provider.  Use this if you want to download the metadata
    from a remote source.

    You *MUST* provide the SignatureValidationFilter in order to function securely.
    Get the public key certificate from the party publishing the metadata, and validate
    it with them via some out of band mechanism (e.g., a fingerprint on a secure page).

    The EntityRoleWhiteList saves memory by only loading metadata from SAML roles
    that the IdP needs to interoperate with. 
    -->
    
    <!--
    <MetadataProvider id="HTTPMetadata"
                      xsi:type="FileBackedHTTPMetadataProvider"
                      backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
                      metadataURL="http://WHATEVER"> 
        
        <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
        <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
        <MetadataFilter xsi:type="EntityRoleWhiteList">
            <RetainedRole>md:SPSSODescriptor</RetainedRole>
        </MetadataFilter>
    </MetadataProvider>
    -->   



    <MetadataProvider id="HTTPMetadata"
         xsi:type="FileBackedHTTPMetadataProvider"
         backingFile="/opt/shibboleth-idp/metadata/carsifed-metadata.xml"
         minRefreshDelay="PT5M"
         maxRefreshDelay="PT10M"
         metadataURL="https://www.carsi.edu.cn/carsimetadata/carsifed-metadata.xml"> 
        <MetadataFilter xsi:type="SignatureValidation" certificateFile="/opt/shibboleth-idp/credentials/dsmeta.pem" />
        <MetadataFilter xsi:type="EntityRoleWhiteList">
            <RetainedRole>md:SPSSODescriptor</RetainedRole>
        </MetadataFilter>
        <MetadataFilter xsi:type="Predicate" direction="exclude" removeEmptyEntitiesDescriptors="true">
            <Entity>不需要加载的SP1的entityid</Entity>
            <Entity>不需要加载的SP2的entityid</Entity>
        </MetadataFilter>
    </MetadataProvider>


    <!--
    Example file metadata provider.  Use this if you want to load metadata
    from a local file.  You might use this if you have some local SPs
    which are not "federated" but you wish to offer a service to.
    
    If you do not provide a SignatureValidation filter, then you have the
    responsibility to ensure that the contents on disk are trustworthy.
    -->
    
    <!--
    <MetadataProvider id="LocalMetadata"  xsi:type="FilesystemMetadataProvider" metadataFile="PATH_TO_YOUR_METADATA"/>
    -->


    <!--
    Example CAS metadata source.
    -->

    <!--
    <MetadataProvider id="CasMetadata"
                      xsi:type="FilesystemMetadataProvider"
                      metadataFile="PATH_TO_YOUR_METADATA"
                      indexesRef="shibboleth.CASMetadataIndices" />
    -->

</MetadataProvider>



版权所有©北京大学计算中心