Page tree
Skip to end of metadata
Go to start of metadata

Overview

The Shibboleth IdP UI provides capabilities for the creation of metadata sources, metadata providers, and filters metadata. 

Dashboards  

The Shibboleth IdP UI has four dashboard functions:  

  • Metadata Source 
  • Metadata Provider
  • Admin
  • Action Required

A Shibboleth IdP UI Administrator (Administrator) has the ability to view all of these.  In addition, the Administrator is able to view and modify all metadata sources, metadata providers, and administrative functions including the Admin and Action Required dashboards.  

A Shibboleth IdP UI Delegated Administrator (User) only has the ability to maintain Metadata Source metadata and can only view the Metadata Source dashboard.  The User's Metadata Source Dashboard will only display metadata sources created by that User.

Metadata Source

The Metadata Source dashboard displays the list of metadata sources that have been created using the Shibboleth IdP UI application.  The process to update a metadata source starts by clicking the title.  If the metadata source information has been saved to the database, the metadata configuration page will be displayed.  If a new metadata source is created using the wizard but the entry of information was not complete, the user will be notified that any unsaved changes will be discarded. Therefore, it is necessary to complete the new metadata source wizard in order to save a new metadata source to the database.

Metadata Provider

The Metadata Provider dashboard displays the list of metadata providers that have been created using the Shibboleth IdP UI application. There are four types of metadata providers - FileBackedHTTPMetadataProvider, FileSystemMetadataProvider, LocalDynamicMetadataProvider and DynamicHTTPMetadataProvider.

Admin

The Admin Dashboard enables an Administrator to assign roles to individuals allowed to use the Shibboleth IdP UI application.  The available roles are currently Administrator, Enabler, User, and None.

Action Required

The Action Required Dashboard provides the Administrator with two types of notifications:

  • Enable Metadata Sources
  • User Access Requests

Enable Metadata Sources displays requests when a user creates a new metadata source.  User Access Requests prompts administrators to assign a role for a new User.

Add Metadata Source

To add a metadata source, click the Add New button at the top of the page, and choose the Metadata Source option from the drop down.  

Select Add Option

Three options are provided to begin the process for adding a new metadata source when the page is displayed as shown below.  


  • Create (default option) - this option requires you to enter information manually by following the Create Metadata Source wizard and entering all pertinent information for the metadata source.  Following the last page of the wizard (attribute release) the metadata configuration page will be displayed.
  • Upload/URL - this option provides the ability to bring in existing metadata source information by uploading the information from either a file or a URL.  Once the information has been saved, the metadata configuration page will be displayed to allow for modifications to the information uploaded.
  • Copy - this option provides the ability to bring in existing metadata source information by copying a metadata source that already exists in the Shibboleth IdP UI application.  Once the information has been saved, the metadata configuration page will be displayed to allow for modifications to the information uploaded.

On each page, fields that require information to be entered are denoted by an '*' at the end of the description for the field.       

Examples of the pages for the different options are displayed below.

Create 

Enter the Service Provider Name and Entity ID then click the Organization Information button to continue through the wizard.

The wizard guides you through the following pages to capture the metadata source information:

  • Organization information
  • MDUI information
  • SP SSO descriptor information
  • Logout endpoints
  • Security information
  • Assertion consumer services
  • Relying party overrides
  • Attribute release

Navigation through the wizard is controlled by either moving to the previous page by clicking the Back button or moving to the next page by clicking the Next button.  Once the final page of the wizard has been reached, the user will be able to save their new metadata source.  If the user navigates away from the form at any time prior, they will be notified that their changes will not be saved if the wizard is not completed.

Examples of each page are shown below.

Organization Information

MDUI Information

SP SSO Descriptor Information

Logout Endpoints

Security Information

Assertion Consumer Services

Relying Party Overrides

Attribute Release

Upload/URL  

Enter the Service Provider Name and either a metadata file or metadata URL.  Click the Save button.  All data will be retrieved from the metadata file.  The data uploaded can be updated on the Metadata Source Add Configuration page.

Copy 

Select the entity id to copy, enter Service Provider Name and Entity ID then click the Next button.  All data will be copied from the entity id selected.  

The data copied can be updated on the Metadata Source Add Configuration page.

Metadata Source Add Configuration Page

The Metadata Source Add Configuration page displays when you have completed the process of adding a metadata source.  This page displays all of the values for the metadata source on one page.  You can edit metadata source configuration details by clicking the edit link for a section.  If no edits are needed, you can save the information for the metadata source in the database by clicking the Save button.  An Administrator also has the ability to enable the metadata source for use in an IdP.  If the metadata source is added by a User, a request will be sent to an Administrator to enable the metadata source.

Update Metadata Source

Metadata Source Configuration

When you click on a metadata source in the Metadata Sources dashboard, the Metadata Source Configuration page will be displayed.  This page shows the following information for the metadata source:

  • Date saved
  • Saved by
  • Enabled/Not Enabled
  • Whether it is the current production version
  • All configuration information saved separated by section

Click the following links to initiate actions from this page:

  • Version History - Display of version history for the metadata source
  • XML - View the XML Configuration for the metadata source
  • Edit - Edit the metadata source.  This option is only available if you are viewing the current version of the metadata source.
  • Delete - Delete the metadata source.  This option is only available if the source is not enabled.

Version History

The Version History page displays all of the versions that were saved for the metadata source.  The following actions can be initiated from this page:

  • Compare Selection - Click two or more check boxes to the left of the save date and click the Compare Selected button.  The Compare Source Configuration Page will be displayed.
  • Display/edit version - Click the version to display the information for that version on the Source Configuration page.
  • Restore - Click the Restore link next to a version to create a new version for the metadata source.  This will contain the information that was saved for the version selected.

Compare Selection

When two or more versions are selected to compare, the Compare Source Configuration will be displayed.  This display shows all data fields for the metadata source and highlights the fields that are different between the versions.  An additional option is available by toggling the View Only Changes field which will display only the fields that have changed.

Full Data Display

Changes Only

Restore

When you click the link to restore a version, the Restore Version page will be displayed.  If you click the Cancel button, the Version History page will be re-displayed with no changes.  If you click the Restore button, a new version will be created and the Source Configuration page will be displayed as shown above.  You can then make modifications to the new version of the metadata source and save it.

XML Configuration

This page displays the XML version of the metadata for the metadata source.

Edit

When you click the Edit link in the Source Configuration page, the section you selected to edit is displayed on the page.  The link in the left navigation is highlighted indicating the section displayed.  The following functions can be performed on this page:

  • Modifications can be made to the data on the page
  • Data can be saved by clicking the Save button.  All modifications for the metadata source will be saved and the Metadata Source Configuration page will be displayed.  Note: Multiple sections can be modified prior to selecting Save and the modifications for all sections will be saved.
  • Clicking the Cancel button will cause the Metadata Source Configuration page to be displayed and all modifications made since the last Save will be ignored.
  • Clicking the link for another section in the left navigation will initiate the display of a new page containing the data for that section.

Add Metadata Provider

To add a metadata provider, click the Add New button at the top of the page, and choose the Metadata Provider option from the button menu.  After you choose the Metadata Provider option, you will be prompted to select the metadata provider type.  This will start the add process for the metadata provider.  Enter a metadata provider name and select one of the four metadata provider types:

  • FileBackedHTTPMetadataProvider
  • FileSystemMetadataProvider
  • LocalDynamicMetadataProvider
  • DynamicHTTPMetadataProvider

A wizard will guide you through the steps to provide the information required for each metadata provider type. 

On each page of the wizard, fields that require information to be entered are denoted by a '*' at the end of the description for the field.  Following the last page of the wizard (attribute release) the Metadata Provider Add Configuration page will be displayed.

Add New Metadata Provider

Navigation through the wizard is controlled by either moving to be previous page by clicking the Back button or moving to the next page by clicking the Next button.  If you attempt to navigate away from the wizard, a pop-up will be displayed that notifies you that your changes will be lost if you proceed.  If you select Cancel, you can continue through the wizard.

FileBackedHTTPMetadataProvider Wizard

The FileBackedHTTPMetadataProvider wizard displays the following pages to capture the metadata provider information:

  • Common Attributes
  • Reloading Attributes
  • Metadata Filter Plugins   

Examples of each page are shown below.

Common Attributes

Reloading Attributes

Metadata Filter Plugins

FileSystemMetadataProvider Wizard

The FileSystemMetadataProvider wizard displays the following pages to capture the metadata provider information:

  • Common Attributes
  • Dynamic Attributes

Examples of each page are shown below.

Common Attributes

Dynamic Attributes

LocalDynamicMetadataProvider Wizard

The LocalDynamicMetadataProvider wizard displays the following pages to capture the metadata provider information:

  • Common Attributes
  • Dynamic Attributes

Examples of each page are shown below.

Common Attributes

Dynamic Attributes

DynamicHTTPMetadataProvider Wizard

The DynamicHTTPMetadataProvider wizard displays the following pages to capture the metadata provider information:

  • Common Attributes
  • Dynamic Attributes
  • Metadata Filter Plugins

Examples of each page are shown below.

Common Attributes

Dynamic Attributes

Metadata Filter Plugins

Metadata Provider Add Configuration Page

The Metadata Provider Add Configuration page allows you to view all data for the metadata provider on one page.  The information displayed on the Metadata Provider Add Configuration page will be determined by the metadata provider type for the metadata provider.  You can edit metadata provider configuration details by clicking the edit link for a section.  Once all information is reviewed/updated, save the information for the metadata provider in the database by clicking the Save button.  Once saved, an Administrator also has the ability to enable the metadata provider for use in an IdP.

Examples of the Metadata Provider Add Configuration page for each type of metadata provider are shown below.

FileBackedHTTPMetadataProvider

FileSystemMetadataProvider

LocalDynamicMetadataProvider

DynamicHTTPMetadataProvider

Update Metadata Provider

Metadata Provider Configuration

When you click a metadata provider in the dashboard, the Metadata Provider Configuration page will display the sections for the metadata provider type.  This page displays the following common information for the metadata provider:

  • Date saved
  • Saved by
  • Enabled/Not Enabled
  • Whether it is the current production version
  • All configuration information saved separated by section

The following links can be selected to initiate actions from this page:

  • Version History - Display of version history for the metadata provider.  
  • Edit - Edit the metadata provider.  This option is only available for the current version.
  • Filters & Add Filter - For providers that support them, clicking the Filters link positions you at the filters section.  Clicking the Add Filter button allows you to add metadata filters to the current provider.
  • Enable/Disable - The Enable / Disable button allows you to toggle the enabled status of the provider.  Note that this can also be changed from the dashboard.

Note:  Version History includes options for Compare Selections, Edit/Display, and Restore metadata providers. The functionality of these options is the same as it is for metadata sources.  Please refer to those sections above for more details.

The provider configuration page for each metadata provider type is displayed below.

FileBackedHTTPMetadataProvider

FileSystemMetadataProvider

LocalDynamicHTTPMetadataProvider

DynamicHTTPMetadataProvider

Edit

When you click the Edit link for a section in the Metadata Provider Configuration page, that section is displayed on the page and available to edit.  The link in the left navigation is highlighted indicating the section displayed.  The following functions can be performed on this page:

  • Modifications can be made to the data on the page
  • Data can be saved by clicking the Save button.  All modifications for the metadata provider will be saved and the Metadata Provider Configuration page will be displayed.  Note:  Multiple sections can be modified prior to selecting Save and the modifications for all sections will be saved.
  • Clicking the Cancel button will cause the Metadata Provider Configuration page to be displayed and all modifications made since the last Save will be ignored.
  • Clicking the link for another section in the left navigation will initiate the display of a new page containing the data for that section.



In addition to editing the information that was included during the add process for a metadata provider, Advanced Settings may also be modified.  Click the Advanced Settings link in the left navigation and toggle the switch at the top of the page to unlock the fields for editing.

Note:  Advanced Settings are an advanced function and should not normally need to be modified.

Advanced Settings

Filters

Filters are attached to a specific metadata provider. Either a File-Backed or Dynamic HTTP Metadata Provider can have filters.  A list of filters is displayed at the bottom of the Metadata Provider Configuration page.  The sequence of filters in the list can be modified by clicking the up/down arrows to the left of the filter name.  Filters can also be Enabled / Disabled.  Click the Add Filter link to add a new filter to the metadata provider.   

Add Filter

After you click Add Filter, you will be prompted to select the filter type.  The options for the filter type are:

  • EntityAttributes
  • NameIDFormat

Once the filter type is selected, the page will expand to display the data fields that can be entered for that filter type.  The interface is similar to the provider edit interface in that there is a left-hand navigation for the different sections of the filter's definition.

On each page, fields that require information to be entered are denoted by a '*' at the end of the description for the field.  

Filter Page Examples

EntityAttributes 


NameIDFormat 


Update Filter

To update an existing filter, click the filter name in the filter list.  The filter information will be displayed below the row for the filter selected.  Click the Edit link to display the filter page for update.  Click the Delete link to remove the filter from the filter list.

Versioning/Comparison

Filters do not have a separate version number to select from version history.  When metadata provider versions are selected, the filters corresponding to each metadata provider version selected are displayed below the metadata provider data at the bottom of the page.    

Metadata Provider Version History

Metadata Filter Comparison selection

The order of the filters may not be the same for each metadata provider.  Click the checkbox next to the corresponding filters (same filter name) to compare the values for the filter.  The differences will the be displayed.    

User Maintenance

Users can be added using two methods.  The first method is to include the users in the user file during application deployment.  The second method is to insert your IdP in front of the Shibboleth IdP UI application.  You can publish a link to individuals you would like to use the application.  When they receive the link, they can sign in to the application.  The first time a user accesses the application, the user will see a "user request received" notification as shown below, and the new user will be displayed on the administrator Action Required dashboard as shown below.


Once a new user request has been received, the Administrator can assign a role or delete the request.  Click the role to display the available roles as shown below.  The appropriate role can then be assigned.   


If Delete Request is clicked, a confirmation message will be displayed as shown below.  You can then confirm or cancel the deletion.


Custom Entity Attributes / Relying Party Overrides

Custom Entity Attributes can be added by an administrator. These attributes become options on the Relying Party Overrides section when configuring a Metadata Source or an Entity Attributes Filter.

To create an attribute, click the "Advanced" button in the upper right navigation and select "Custom entity attributes".


The user is presented a form to configure a new attribute. The following is a list of the Entity Attributes types:

  • String (simple plain text)
  • Boolean (allows options to store as a string or boolean value)
  • List (list of strings with a default option)
  • Long (stored as a string)
  • Double (stored as a string)
  • Duration (stored as a string in the ISO-8601 duration format)
    • example: PT1H
  • Spring Bean ID (stored as a string)


Form fields for creating a new attribute:

  • Name: The name of the entry. used to uniquely identify this entry.
  • Attribute Type: The type to use when displaying this option
  • Attribute Friendly Name: This is the friendly name associated with the above attributeName.
  • Attribute Name: This is the name of the attribute to be used in the xml. This is assumed to be a URI.
  • Display Name: This will normally be the label used when displaying this override in the UI
  • Help Text: This is the help-icon hover-over text
  • Default Value: One or more values to be displayed as default options in the UI
  • Persist Type: Optional. If it is necessary to persist something different than the override's display type, set that type here. For example, display a boolean, but persist a string.
  • Persist Value: Required only when Persist Type is used. Defines the value to be persisted.

Attribute Release Bundles

Attribute Release bundles can be created as a convenience feature for metadata creators. This allows an administrator to select from the list of custom attributes defined in the `application.yml` file.

To create an attribute bundle, click the "Advanced" button in the upper right navigation and select "Attribute bundles".


The user is taken to the Attribute Bundles page.  This page allows you to edit or delete an existing bundle, or add a new bundle.

Click the "Add bundle" button.


The user is presented with a form where they can enter a bundle name and select from the list of available attributes defined in the system.


Clicking "Save" will save this bundle and return the user to the Attributes Bundle page. Mousing over the list of bundled attributes will display the full list of attributes defined in the bundle, in case the list is too long to display in the bundle list table.


A user can select these bundles when creating a new Metadata Source or Entity Attributes Filter. On the Attribute Release page, the bundles are displayed above the list of attributes. Clicking the check button to the right of the bundle name will select the checkboxes below for the attributes in that bundle. This allows the user to select multiple bundles.


Groups

Groups can be defined by an administrator using the Groups page. Metadata sources and users can belong to a group, and each user may have a role within the context of that group. When a user is created in the system, they are added by default to their own user group which is generated at the same time, unless a specific group is specified. When a metadata source is created, that source is added to the group that the user who created it belongs to.

To create a group, click the "Advanced" button in the upper right navigation and select "Groups".


This takes the user to the Groups list page, where it is possible to edit or delete an existing group (except the ADMIN-GROUP; this group is required by the system.)

Click "Add new group" to create a new group.


The user is presented with a form to enter the group name, description, and a url validation regex. The url validation regex field is for administrators to define what entity IDs and assertion consumer service urls can be targeted by members of that group.


Clicking save will save the group and return the user to the groups list page.

At this point, an administrator can go back to the dashboard and select the "Admin" tab, where the new group will be added to the select boxes to the right of each user so that the user can be added to that group. A green notification will display when the user's group is updated successfully.


If a user who is a member of that new group creates a source, that source will be added to the group.  Note that during this creation process, the source's Entity ID and any assertion consumer service endpoint URLs will be restricted to matching the regular expression defined on that member's group. For example, here is a failed validation on the Entity ID:


Once it has been corrected, the user can proceed with their metadata source definition:


Similarly, when defining Assertion Consumer Service Endpoints, the URL will be validated against the group's RegEx:

And once it is successful:


Once the group member saves the source, it will be added to the group. The source can then be updated / changed by an administrator.

Roles

An administrator can create custom roles to apply to users. These custom roles define the user's capability within the group. The special roles already defined are ROLE_ADMIN and ROLE_ENABLE. By default, a new user is given the role ROLE_USER.

To create a role, click the "Advanced" button in the upper right navigation and select "Roles".


This takes the user to the Roles list page, where it is possible to edit or delete an existing role (except the ROLE_ADMIN) role. This role is required by the system.

Click "Add new role" to create a new role.


The user is presented with a single text field to enter the name of the new role.


Entering a name and clicking "Save" will return the user to the roles list page, where the new role has been added to the list. A success message is displayed.


At this point, if the user returns to the dashboard and selects the "Admin" tag, the Role dropdown will be populated with the roles in the system, including any custom roles they have defined.



  • No labels