Versions Compared

Old Version 13

changes.mady.by.user Johan Peterson

Saved on

compared with

New Version Current

changes.mady.by.user Johan Peterson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Minot changes to HARICA

...

The PowerShell code provided for each SP should be copied to the get-ADFSTkManualSPSettings.ps1 script in the /config folder.  Please note the additional steps might also be needed.

Terena

    ### Terena.org/sp
        $TransformRules = [Ordered]@{}
        $TransformRules.'transient-id' = $AllTransformRules.'transient-id'
        $TransformRules.eduPersonTargetedID = $AllTransformRules.eduPersonTargetedID
        $TransformRules.eduPersonPrincipalName = $AllTransformRules.eduPersonPrincipalName
        $TransformRules.mail = $AllTransformRules.mail
        $TransformRules.displayName = $AllTransformRules.displayName
        $TransformRules.givenName = $AllTransformRules.givenName
        $TransformRules.sn = $AllTransformRules.sn
        $TransformRules.eduPersonScopedAffiliation = $AllTransformRules.eduPersonScopedAffiliation
        $IssuanceTransformRuleManualSP["https://terena.org/sp"] = $TransformRules
    ###

Orcid

    ### orcid.org
        $TransformRules = [Ordered]@{}
        $TransformRules.eduPersonUniqueID = $AllTransformRules.eduPersonUniqueID
        $IssuanceTransformRuleManualSP["https://orcid.org/saml2/sp/1"] = $TransformRules
    ###

Sectigo (Cert-manager)

HARICA

HARICA Sectigo needs eduPersonEntitlement =  urnurn:mace:terena.org:tcs:personal-user for all users you are allowed to, and want to, enable personal certificate issuance via SAML for. This typically means AL2 users.

Below is an example where the AL2 is retrieved from an AD group. Change the code based on how AL2 is stored in your institution..

They also need eduPersonTargetedId. In the example below norEduPersonLIN is used. If you don't have norEduPersonLIN, you can use primarysid or any other unique, persistent identifier.

### HARICA PROD

$ManualSPSettings = @{
        TransformRules    ### Cert-manager (Sectigo)
        $TransformRules = [Ordered]@{}
   }

$ManualSPSettings.TransformRules.givenName = $AllTransformRules.givenName
$ManualSPSettings.TransformRules.sn = $AllTransformRules.sn
$ManualSPSettings.TransformRules.mail =  $TransformRules$AllTransformRules.mail
$ManualSPSettings.TransformRules.'transient-id' = $AllTransformRules.'transient-id'
$ManualSPSettings.TransformRules.eduPersonPrimaryAffiliation = $AllTransformRules.eduPersonPrimaryAffiliation
$ManualSPSettings.TransformRules.eduPersonPrincipalName = $AllTransformRules.eduPersonPrincipalName
$ManualSPSettings.TransformRules.schacHomeOrganization = $AllTransformRules.schacHomeOrganization

$ManualSPSettings.TransformRules.eduPersonTargetedId = [PSCustomObject]@{
        $TransformRules.displayName = $AllTransformRules.displayName
        $TransformRules.givenName = $AllTransformRules.givenName
        $TransformRules.mail = $AllTransformRules.mail
        $TransformRules.sn = $AllTransformRules.sn
        $TransformRules.schacHomeOrganization = $AllTransformRules.schacHomeOrganization
        $TransformRulesRule=@"

        @RuleName = "Transform norEduPersonLIN"
        c:[Type == "urn:mace:dir:attribute-def:norEduPersonLIN"]
        => issue(Type = "urn:oid:1.3.6.1.4.1.5923.1.1.1.10",
                 Value = c.Value,
                 Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
"@
        Attribute="urn:mace:dir:attribute-def:norEduPersonLIN"
    }
$ManualSPSettings.TransformRules.eduPersonEntitlement = [PSCustomObject]@{
              Rule=@"
                 @RuleName = "Set eduPersonEntitlement for AL2 users"
                              c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value == "<group name containing all AL2 users>"]
                            => issue(Type = "urn:oid:1.3.6.1.4.1.5923.1.1.1.7", Value = "urn:mace:terena.org:tcs:personal-user", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
                           "@
                 Attribute="http://schemas.xmlsoap.org/claims/Group"
        }
        
        
$IssuanceTransformRuleManualSP["https://www.harica.gr/simplesamlphp//cert-manager.com/shibbolethmodule.php/saml/sp/metadata.php/pki-grnet-sp"] = $TransformRules$ManualSPSettings
    
###

Digicert

    ###HARICA Digicert
        $TransformRules = [Ordered]@{}
        $TransformRules["eduPersonPrincipalNameSTAGING
$IssuanceTransformRuleManualSP["https://cm-stg.harica.gr/simplesamlphp/module.php/saml/sp/metadata.php/harica-cm-stg-sp"] = $AllTransformRules["eduPersonPrincipalName"]
        $TransformRules["displayName"] = $AllTransformRules["displayName"]
        $TransformRules["mail"] = $AllTransformRules["mail"]
        $TransformRules["schacHomeOrganization"] = $AllTransformRules["schacHomeOrganization"]
        $TransformRules["eduPersonEntitlement"] = $AllTransformRules["eduPersonEntitlement"]
        $ManualSPSettings

### HARICA DEV
$IssuanceTransformRuleManualSP["https://cm-dev.harica.gr/saml/www.digicert.com/ssomodule.php/saml/sp/metadata.php/harica-cm-dev-sp"] = $TransformRules$ManualSPSettings
    
###

You also need to the following changes to the SP in the AD FS Management Console:

...

InAcademia
    ### Inacademia
        $TransformRules = [Ordered]@{}
        $TransformRules.transientid = [PSCustomObject]@{
        Rule=@"
            @RuleName = "synthesize persistent-id"
                c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"]
                => add(store = "_OpaqueIdStore", types = ("urn:adfstk:persistentid"), query = "{0};{1};{2}", param = "ppid", param = c.Value, param = c.OriginalIssuer);
            @RuleName = "issue persistent-id"
                c:[Type == "urn:adfstk:persistentid"]
                => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", 
                Issuer = c.Issuer, 
                OriginalIssuer = c.OriginalIssuer, 
                Value = c.Value, ValueType = c.ValueType, 
                Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", 
                Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "[ReplaceWithSPNameQualifier]", 
                Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://$($Settings.configuration.StaticValues.ADFSExternalDNS)");
         "@
         Attribute=""
         }
         $IssuanceTransformRuleManualSP["https://inacademia.org/metadata/inacademia-simple-validation.xml"] = $TransformRules
    ###
...