SAML2/Shibb client login to Gartner

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SAML2/Shibb client login to Gartner

IAM David Bantz
I've been asked to look into SSO client login to Gartner. Archives have a several-year-old discussion in which Yale and CMU indicate they did get Gartner client logins relying on their Shibb IdP with unusual effort. I'm hoping for details, documentation, and/or updates from participants here.

David Bantz
UA OIT IAM

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SAML2/Shibb client login to Gartner

Morgan, Andrew Jason
It wasn't too hard...

Here is what I have in metadata-providers.xml:

    <!-- gartner metadata -->
    <MetadataProvider id="gartner" xsi:type="FileBackedHTTPMetadataProvider"
                      xmlns="urn:mace:shibboleth:2.0:metadata"
                      metadataURL="https://ssofed.gartner.com/pf/federation_metadata.ping?PartnerIdpId=https://login.oregonstate.edu/idp/shibboleth"
                      backingFile="%{idp.home}/metadata/gartner.xml"
                      minRefreshDelay="PT5M"
                      maxRefreshDelay="PT1H"
                      refreshDelayFactor="0.75">
        <MetadataFilter xsi:type="Predicate" direction="include" removeEmptyEntitiesDescriptors="true" trim="true">
            <Entity>http://www.gartner.com</Entity>
        </MetadataFilter>
    </MetadataProvider>

and attribute-filter.xml:

    <!-- gartner filters -->
    <AttributeFilterPolicy id="gartner">
        <PolicyRequirementRule xsi:type="Requester" value="http://www.gartner.com" />
        <AttributeRule attributeID="eduPersonPrincipalName">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="surname">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="givenName">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
    </AttributeFilterPolicy>

They wanted us to perform access control, so I use an intercept for that.

Let me know if you have any questions.

Thanks,
Andy Morgan
Identity & Access Management
Oregon State University


From: users <[hidden email]> on behalf of IAM David Bantz <[hidden email]>
Sent: Monday, November 25, 2019 3:42 PM
To: Shib Users <[hidden email]>
Subject: SAML2/Shibb client login to Gartner
 
I've been asked to look into SSO client login to Gartner. Archives have a several-year-old discussion in which Yale and CMU indicate they did get Gartner client logins relying on their Shibb IdP with unusual effort. I'm hoping for details, documentation, and/or updates from participants here.

David Bantz
UA OIT IAM

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]