...
To check a user's assurance profile you need to check that the Identity Provider is approved for the same assurance profile as it has asserted for the user. To do this you need to activate extendend functionality in the Shibboleth Service Provider. This extension is available since version 2.2.
Activate Metadata Attribute Extraction for Identity Provider metadata
To get the approved assurance profiles from metadata you need to activate the Metadata Attribute Extraction extension in Shibboleth SP. This is done by extending the ApplicationDefaults tag in Shibboleth2.xml by adding metadataAttributePrefix="Meta-" after REMOTE_USER="...", see example. This is a standard example in the file example-shibboleth2.xml in later versions of Shibboleth SP. It is also included in the SWAMID Configure Shibboleth SP - SWAMID-shibboleth2.xml
...
| Info | ||
|---|---|---|
| ||
| Please note that you may get to many headers after activating this extension. If you do, please remove all unused attributes from attribute-map.xml or modify backend header limits (LimitRequestFields/LimitRequestFieldSize in Apache HTTPD Server, maxHeaderCount/maxHttpHeaderSize in Apache Tomcat Connectors). |
Define metadata assurance certification attribute
Next step is to make approved assurance levels available in the application. This is done attribute-map.xml the same way as normal Identity Provider asserted attributes. It is also included in 3.2 Configure Shibboleth SP - attribute-map.xml
...
After the activation of Metadata Attribute Extension and the attribute definition all Identity Provider approved assurance profiles are available in the multi-valued attribute Meta-Assurance-Certification.
Expected Web Application behavior
If the web application need to check if a user is approved for an assurance profile the application needs to check approved assurance profiles for both the user and the used Indentity Provider as described in the bullit list in this document.
...