Stanford releases two attributes specifically for NSC - SchoolAssignedPersonID and OPEID. SchoolAssignedPersonID is also included in the weekly batch upload of student data. Currently, the configuration only supports student access to NSC; staff access to student records at NSC still needs to be worked out.

Student Access

Generally, students access the NSC site through a link in our Student Administration system. This link includes the OPEID, which the NSC SP uses to redirect users to the correct IdP.

Staff Access

With the old authentication mechanism, the Student Administration system allowed authorized staff to masquerade as students to access the NSC site. This functionality has not been replicated with the new Shibboleth authentication mechanism. There are a few possible solutions:

  • one or more eduPersonEntitlement values could be used to authorize access to student records at NSC
    • Advantage: NSC is fully aware of which Stanford staff IDs accessed which Stanford student record
    • Disadvantage: Without a log interface, Stanford is unaware of which Stanford staff IDs accessed which Stanford student record
  • masquerading at Stanford. In this case, authorized Stanford staff would be able to select which student to masquerade as. NSC would receive an assertion for that student
    • Advantage: Stanford is fully aware of which Stanford staff IDs accessed which Stanford student record
    • Disadvantage: NSC is unaware of which Stanford staff IDs accessed which Stanford student record
  • release attributes defining the authenticating user and the user they wish to masquerade as
    • Advantage: both parties are fully aware of which Stanford staff IDs accessed which Stanford student record
    • Disadvantage: implementation is non-trivial, and may not be widely supportable

Attributes

SchoolAssignedPersonID

While we wanted to use our targetedID system, we had two restrictions:

  1. SchoolAssignedPersonID is defined by PESC to have a maximum length of 20 characters.
  2. The ID we used had to be easily accessed by both the Shibboleth IdP and the Student Admin system (which creates the weekly batch upload)

The targetedID system currently has no web service, but several of the mechanisms it uses could be reproduced in PeopleSoft. However, none of the reproducible mechanisms created IDs that were 20 characters or less. We decided just to use the Stanford UnivID, which was already being released to NSC via the batch file, and is available to both the SA system and the IdP. In the IdP resolver configuration it is defined as another name for the suUnivID directory attribute:

  <SimpleAttributeDefinition id="SchoolAssignedPersonID"
    namespace="http://www.pesc.org/standards/attrs" sourceName="suUnivID">
    <DataConnectorDependency requires="sasldir"/>
  </SimpleAttributeDefinition>
OPEID

Stanford has several OPEIDs - one for Stanford as a whole, and others for some of the schools. NSC only needed the generic Stanford OPEID, so it was hardcoded in the IdP resolver configuration as a mapping from various affiliation types.

  <MappedAttributeDefinition id="OPEID" namespace="http://www.pesc.org/standards/attrs">
    <AttributeDependency requires="urn:stanford.edu:dir:attribute-def:suPrivilegeGroup"/>
    <ValueMap value="00XXXXXX" keyset="stanford:staff,stanford:faculty,stanford:student"/>
  </MappedAttributeDefinition>

ARP

NSC has used two providerIDs during the pilot, so we have two ARP rules:

  <!-- NSC needs SchoolAssignedPersonID (which is suUnivID) -->
  <Rule>
     <Target>
        <Requester>shibboleth.studentclearinghouse.org</Requester>
     </Target>
     <Attribute name="SchoolAssignedPersonID">
        <AnyValue release="permit"/>
     </Attribute>
     <Attribute name="OPEID">
        <AnyValue release="permit"/>
     </Attribute>
  </Rule> 
  <!-- alternate requester for NSC -->
  <Rule>
     <Target>
        <Requester>https://shibboleth.studentclearinghouse.org/shibboleth</Requester>
     </Target>
     <Attribute name="SchoolAssignedPersonID">
        <AnyValue release="permit"/>
     </Attribute>
     <Attribute name="OPEID">
        <AnyValue release="permit"/>
     </Attribute>
  </Rule>

Other attributes will be be released to NSC if the attributes are available to the IdP, and the authenticating user has set those attributes to be publicly available in StanfordYou.

Sample Attribute Assertion

Here's a (slightly redacted) assertion from when we were testing earlier this year. The only attributes that are required are SchoolAssignedPersonID and OPEID; the other attributes are released as a side effect of our implementation, where (by default) the IdP releases information that users have marked public.

<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
          xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
          xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
          xmlns:xsd="http://www.w3.org/2001/XMLSchema"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          InResponseTo="_84e41daa41b840519ed0a0741797cc14"
          IssueInstant= "2009-01-28T20:29:05.686Z"
          MajorVersion="1"
          MinorVersion="1"
          ResponseID="_c7ee6314b2724627f58690b056f8095f">
  <Status>
    <StatusCode Value="samlp:Success"></StatusCode>
  </Status>
  <Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
             AssertionID="_5c3d359276ed51d74a2952f1053063dc"
             IssueInstant="2009-01-28T20:29:05.685Z"
             Issuer="https://idp-dev.stanford.edu/"
             MajorVersion="1"
             MinorVersion="1">
    <Conditions NotBefore="2009-01-28T20:29:05.685Z"
                NotOnOrAfter="2009-01-28T20:59:05.685Z">
      <AudienceRestrictionCondition>
        <Audience>https://shibboleth.studentclearinghouse.org/shibboleth</Audience>
        <Audience>urn:mace:stanford.edu:farmfeddev</Audience>
      </AudienceRestrictionCondition>
    </Conditions>
    <AttributeStatement>
      <Subject>
        <NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier"
                        NameQualifier="https://idp-dev.stanford.edu/">
          ....
        </NameIdentifier>
      </Subject>
      <Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
                 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
        <AttributeValue Scope="stanford.edu">affiliate</AttributeValue>
        <AttributeValue Scope="stanford.edu">staff</AttributeValue>
        <AttributeValue Scope="stanford.edu">member</AttributeValue>
      </Attribute>

      <Attribute AttributeName="OPEID"
                 AttributeNamespace="http://nsc-pilot.stanford.edu/attr">
        <AttributeValue>XXXX</AttributeValue>
      </Attribute>

      <Attribute AttributeName="SchoolAssignedPersonID"
                 AttributeNamespace="http://nsc-pilot.stanford.edu/attr">
        <AttributeValue>009876543</AttributeValue>
      </Attribute>

    </AttributeStatement>
  </Assertion>
</Response>
  • No labels