...
This example is based on the based on How to configure Shibboleth SP attribute checker. Please see that wiki page for further description information on how to use Shibboleth SP attribute checker.
...
Code Block | ||
---|---|---|
| ||
<!-- Metadata based attribute for Assurance Certification --> <Attribute name="urn:oasis:names:tc:SAML:attribute:assurance-certification" id="AssuranceCertification"/> |
Logging of missing requirements
Shibboleth SP doesn't track nor log failed logins due to missing attributes. The Shibboleth SP web server can be used for "pixel tracking". This means that you load an image (eg: containing only one transparent pixel) from the web server from where you can monitor logs and observe access for you image. In the url of your the image you can also insert details you want to see, eg: Authentication source (IdP) and missing attributes. This technique is used in attrChecker-html below.
Replace the image with your existing one from the following code or comment it out if you dont need it. Example below loads track.png from document root and adds variables like "idp" containing the entityID of the authentication source and "miss" denoting missing attributes.Pixel tracking
Code Block | ||
---|---|---|
| ||
<img title="track" src="/track.png?idp=<shibmlp entityID/>&miss=<shibmlpifnot displayName>-displayName</shibmlpifnot><shibmlpifnot givenName>-givenName</shibmlpifnot><shibmlpifnot cn>-cn</shibmlpifnot><shibmlpifnot sn>-sn</shibmlpifnot><shibmlpifnot eduPersonPrinpalName>-eduPersonPrinpalName</shibmlpifnot><shibmlpifnot schacHomeOrganization>-schacHomeOrganization</shibmlpifnot><shibmlpifnot schacHomeOrganizationType>-schacHomeOrganizationType</shibmlpifnot>" alt="" width="1" height="1" /> |
Template customization
Template customization
Replace the attrChecker.html that The attrChecker.html is located in the "/etc/shibboleth" directory with the template below. If you don't want to edit it by yourself, you can use the ready made template. The template has links to external components such as jquery and bootstrap. They are fetched on the fly from third party sources. Basically there are three locations needing modifications:
...
.
...
- The table showing missing attributes between the tags "TableStart" and "TableEnd". You have to insert again all the same attributes as above.
Define row for each required attribute (eg: displayName below)
Code Block | ||
---|---|---|
| ||
<tr <shibmlpifnot displayName> class='warning text-danger'</shibmlpifnot>>
<td>displayName</td>
<td><shibmlp displayName /></td>
</tr> |
- The email template between the tags "<textarea>" and "</textarea>". After "The attributes that were not released to the service are:". Again define all required attributes using shibboleth tagging like in section 1 ( eg: <shibmlpifnot $attribute> * $attribute</shibmlpifnot>). Note that for SP identifier target URL is used instead of entityID. There arent yet any tag for SP entityID so you can replace this target URL manually.
You can also update attrChecker.html with a Perl-script (attrChecker.pl). The script extracts the required attributes from the Attribute Checker handler element in shibboleth2.xml and modifies attrChecker.html accordingly (Note that script doesnt work with complex scenarios using AND and OR operators, it uses only "attributes" attribute from the handler). If you customize attrChecker.html and execute the Perl-script, make a backup of attrChecker.html before executing attrChecker.pl. If the script doesn't find the tags it needs for replacing content, it might break the template. The script updates the PixelTracking link by replacing shibboleth tags between miss= and following ", attribute table rows between "TableStart" and "TableEnd" and after line "The attributes that were not released to the service are:" until the next empty line.
...