| Table of Contents |
|---|
Overview
The Shibboleth IdP UI
...
Dashboards
The Shibboleth IdP UI has four dashboard functions:
- Metadata Source
- Metadata Provider
- Admin
- Action Required
A Shibboleth IdP UI Administrator (Administrator) has the ability to view all of these. In addition, the Administrator is able to view and modify all metadata sources, metadata providers, and administrative functions including the Admin and Action Required dashboards.
A Shibboleth IdP UI Delegated Administrator (User) only has the ability to maintain Metadata Source metadata and can only view the Metadata Source dashboard. The User's Metadata Source Dashboard will only display metadata sources created by that User.
Metadata Source
The Metadata Source dashboard displays the list of metadata sources that have been created using the Shibboleth IdP UI application. The process to update a metadata source starts by clicking the title. If the metadata source information has been saved to the database, the metadata configuration page will be displayed. If a new metadata source is created using the wizard but the entry of information was not complete, the user will be notified that any unsaved changes will be discarded. Therefore, it is necessary to complete the new metadata source wizard in order to save a new metadata source to the database.
Metadata Provider
The Metadata Provider dashboard displays the list of metadata providers that have been created using the Shibboleth IdP UI application. There are four types of metadata providers - FileBackedHTTPMetadataProvider, FileSystemMetadataProvider, LocalDynamicMetadataProvider and DynamicHTTPMetadataProvider.
Admin
The Admin Dashboard enables an Administrator to assign roles to individuals allowed to use the Shibboleth IdP UI application. The available roles are currently Administrator, Enabler, User, and None.
Action Required
The Action Required Dashboard provides the Administrator with two types of notifications:
- Enable Metadata Sources
- User Access Requests
Enable Metadata Sources displays requests when a user creates a new metadata source. User Access Requests prompts administrators to assign a role for a new User.
Add Metadata Source
To add a metadata source, click the Add New button at the top of the page, and choose the Metadata Source option from the drop down.
Select Add Option
Three options are provided to begin the process for adding a new metadata source when the page is displayed as shown below.
- Create (default option) - this option requires you to enter information manually by following the Create Metadata Source wizard and entering all pertinent information for the metadata source. Following the last page of the wizard (attribute release) the metadata configuration page will be displayed.
- Upload/URL - this option provides the ability to bring in existing metadata source information by uploading the information from either a file or a URL. Once the information has been saved, the metadata configuration page will be displayed to allow for modifications to the information uploaded.
- Copy - this option provides the ability to bring in existing metadata source information by copying a metadata source that already exists in the Shibboleth IdP UI application. Once the information has been saved, the metadata configuration page will be displayed to allow for modifications to the information uploaded.
On each page, fields that require information to be entered are denoted by an '*' at the end of the description for the field.
Examples of the pages for the different options are displayed below.
Create
Enter the Service Provider Name and Entity ID then click the Organization Information button to continue through the wizard.
The wizard guides you through the following pages to capture the metadata source information:
- Organization information
- MDUI information
- SP SSO descriptor information
- Logout endpoints
- Security information
- Assertion consumer services
- Relying party overrides
- Attribute release
Navigation through the wizard is controlled by either moving to the previous page by clicking the Back button or moving to the next page by clicking the Next button. Once the final page of the wizard has been reached, the user will be able to save their new metadata source. If the user navigates away from the form at any time prior, they will be notified that their changes will not be saved if the wizard is not completed.
Examples of each page are shown below.
Organization Information
MDUI Information
SP SSO Descriptor Information
Logout Endpoints
Security Information
Assertion Consumer Services
Relying Party Overrides
Attribute Release
Upload/URL
Enter the Service Provider Name and either a metadata file or metadata URL. Click the Save button. All data will be retrieved from the metadata file. The data uploaded can be updated on the Metadata Source Add Configuration page.
Copy
Select the entity id to copy, enter Service Provider Name and Entity ID then click the Next button. All data will be copied from the entity id selected.
The data copied can be updated on the Metadata Source Add Configuration page.
Metadata Source Add Configuration Page
The Metadata Source Add Configuration page displays when you have completed the process of adding a metadata source. This page displays all of the values for the metadata source on one page. You can edit metadata source configuration details by clicking the edit link for a section. If no edits are needed, you can save the information for the metadata source in the database by clicking the Save button. An Administrator also has the ability to enable the metadata source for use in an IdP. If the metadata source is added by a User, a request will be sent to an Administrator to enable the metadata source.
Update Metadata Source
Metadata Source Configuration
When you click on a metadata source in the Metadata Sources dashboard, the Metadata Source Configuration page will be displayed. This page shows the following information for the metadata source:
- Date saved
- Saved by
- Enabled/Not Enabled
- Whether it is the current production version
- All configuration information saved separated by section
Click the following links to initiate actions from this page:
- Version History - Display of version history for the metadata source
- XML - View the XML Configuration for the metadata source
- Edit - Edit the metadata source. This option is only available if you are viewing the current version of the metadata source.
- Delete - Delete the metadata source. This option is only available if the source is not enabled.
Version History
The Version History page displays all of the versions that were saved for the metadata source. The following actions can be initiated from this page:
- Compare Selection - Click two or more check boxes to the left of the save date and click the Compare Selected button. The Compare Source Configuration Page will be displayed.
- Display/edit version - Click the version to display the information for that version on the Source Configuration page.
- Restore - Click the Restore link next to a version to create a new version for the metadata source. This will contain the information that was saved for the version selected.
Compare Selection
When two or more versions are selected to compare, the Compare Source Configuration will be displayed. This display shows all data fields for the metadata source and highlights the fields that are different between the versions. An additional option is available by toggling the View Only Changes field which will display only the fields that have changed.
Full Data Display
Changes Only
Restore
When you click the link to restore a version, the Restore Version page will be displayed. If you click the Cancel button, the Version History page will be re-displayed with no changes. If you click the Restore button, a new version will be created and the Source Configuration page will be displayed as shown above. You can then make modifications to the new version of the metadata source and save it.
XML Configuration
This page displays the XML version of the metadata for the metadata source.
Edit
When you click the Edit link in the Source Configuration page, the section you selected to edit is displayed on the page. The link in the left navigation is highlighted indicating the section displayed. The following functions can be performed on this page:
- Modifications can be made to the data on the page
- Data can be saved by clicking the Save button. All modifications for the metadata source will be saved and the Metadata Source Configuration page will be displayed. Note: Multiple sections can be modified prior to selecting Save and the modifications for all sections will be saved.
- Clicking the Cancel button will cause the Metadata Source Configuration page to be displayed and all modifications made since the last Save will be ignored.
- Clicking the link for another section in the left navigation will initiate the display of a new page containing the data for that section.
Add Metadata Provider
To add a metadata provider, click the Add New button at the top of the page, and choose the Metadata Provider option from the button menu. After you choose the Metadata Provider option, you will be prompted to select the metadata provider type. This will start the add process for the metadata provider. Enter a metadata provider name and select one of the four metadata provider types:
- FileBackedHTTPMetadataProvider
- FileSystemMetadataProvider
- LocalDynamicMetadataProvider
- DynamicHTTPMetadataProvider
A wizard will guide you through the steps to provide the information required for each metadata provider type.
On each page of the wizard, fields that require information to be entered are denoted by a '*' at the end of the description for the field. Following the last page of the wizard (attribute release) the Metadata Provider Add Configuration page will be displayed.
Add New Metadata Provider
Navigation through the wizard is controlled by either moving to be previous page by clicking the Back button or moving to the next page by clicking the Next button. If you attempt to navigate away from the wizard, a pop-up will be displayed that notifies you that your changes will be lost if you proceed. If you select Cancel, you can continue through the wizard.
FileBackedHTTPMetadataProvider Wizard
The FileBackedHTTPMetadataProvider wizard displays the following pages to capture the metadata provider information:
- Common Attributes
- Reloading Attributes
- Metadata Filter Plugins
Examples of each page are shown below.
Common Attributes
Reloading Attributes
Metadata Filter Plugins
FileSystemMetadataProvider Wizard
The FileSystemMetadataProvider wizard displays the following pages to capture the metadata provider information:
- Common Attributes
- Dynamic Attributes
Examples of each page are shown below.
Common Attributes
Dynamic Attributes
LocalDynamicMetadataProvider Wizard
The LocalDynamicMetadataProvider wizard displays the following pages to capture the metadata provider information:
- Common Attributes
- Dynamic Attributes
Examples of each page are shown below.
Common Attributes
Dynamic Attributes
DynamicHTTPMetadataProvider Wizard
The DynamicHTTPMetadataProvider wizard displays the following pages to capture the metadata provider information:
- Common Attributes
- Dynamic Attributes
- Metadata Filter Plugins
Examples of each page are shown below.
Common Attributes
Dynamic Attributes
Metadata Filter Plugins
Metadata Provider Add Configuration Page
The Metadata Provider Add Configuration page allows you to view all data for the metadata provider on one page. The information displayed on the Metadata Provider Add Configuration page will be determined by the metadata provider type for the metadata provider. You can edit metadata provider configuration details by clicking the edit link for a section. Once all information is reviewed/updated, save the information for the metadata provider in the database by clicking the Save button. Once saved, an Administrator also has the ability to enable the metadata provider for use in an IdP.
Examples of the Metadata Provider Add Configuration page for each type of metadata provider are shown below.
FileBackedHTTPMetadataProvider
FileSystemMetadataProvider
LocalDynamicMetadataProvider
DynamicHTTPMetadataProvider
Update Metadata Provider
Metadata Provider Configuration
When you click a metadata provider in the dashboard, the Metadata Provider Configuration page will display the sections for the metadata provider type. This page displays the following common information for the metadata provider:
- Date saved
- Saved by
- Enabled/Not Enabled
- Whether it is the current production version
- All configuration information saved separated by section
The following links can be selected to initiate actions from this page:
- Version History - Display of version history for the metadata provider.
- Edit - Edit the metadata provider. This option is only available for the current version.
- Filters & Add Filter - For providers that support them, clicking the Filters link positions you at the filters section. Clicking the Add Filter button allows you to add metadata filters to the current provider.
- Enable/Disable - The Enable / Disable button allows you to toggle the enabled status of the provider. Note that this can also be changed from the dashboard.
Note: Version History includes options for Compare Selections, Edit/Display, and Restore metadata providers. The functionality of these options is the same as it is for metadata sources. Please refer to those sections above for more details.
The provider configuration page for each metadata provider type is displayed below.
FileBackedHTTPMetadataProvider
FileSystemMetadataProvider
LocalDynamicHTTPMetadataProvider
DynamicHTTPMetadataProvider
Edit
When you click the Edit link for a section in the Metadata Provider Configuration page, that section is displayed on the page and available to edit. The link in the left navigation is highlighted indicating the section displayed. The following functions can be performed on this page:
- Modifications can be made to the data on the page
- Data can be saved by clicking the Save button. All modifications for the metadata provider will be saved and the Metadata Provider Configuration page will be displayed. Note: Multiple sections can be modified prior to selecting Save and the modifications for all sections will be saved.
- Clicking the Cancel button will cause the Metadata Provider Configuration page to be displayed and all modifications made since the last Save will be ignored.
- Clicking the link for another section in the left navigation will initiate the display of a new page containing the data for that section.
In addition to editing the information that was included during the add process for a metadata provider, Advanced Settings may also be modified. Click the Advanced Settings link in the left navigation and toggle the switch at the top of the page to unlock the fields for editing.
Note: Advanced Settings are an advanced function and should not normally need to be modified.
Advanced Settings
Filters
Filters are attached to a specific metadata provider. Either a File-Backed or Dynamic HTTP Metadata Provider can have filters. A list of filters is displayed at the bottom of the Metadata Provider Configuration page. The sequence of filters in the list can be modified by clicking the up/down arrows to the left of the filter name. Filters can also be Enabled / Disabled. Click the Add Filter link to add a new filter to the metadata provider.
Add Filter
After you click Add Filter, you will be prompted to select the filter type. The options for the filter type are:
- EntityAttributes
- NameIDFormat
Once the filter type is selected, the page will expand to display the data fields that can be entered for that filter type. The interface is similar to the provider edit interface in that there is a left-hand navigation for the different sections of the filter's definition.
On each page, fields that require information to be entered are denoted by a '*' at the end of the description for the field.
Filter Page Examples
EntityAttributes
NameIDFormat
Update Filter
To update an existing filter, click the filter name in the filter list. The filter information will be displayed below the row for the filter selected. Click the Edit link to display the filter page for update. Click the Delete link to remove the filter from the filter list.
Versioning/Comparison
Filters do not have a separate version number to select from version history. When metadata provider versions are selected, the filters corresponding to each metadata provider version selected are displayed below the metadata provider data at the bottom of the page.
Metadata Provider Version History
Metadata Filter Comparison selection
The order of the filters may not be the same for each metadata provider. Click the checkbox next to the corresponding filters (same filter name) to compare the values for the filter. The differences will the be displayed.
User Maintenance
Users can be added using two methods. The first method is to include the users in the user file during application deployment. The second method is to insert your IdP in front of the Shibboleth IdP UI application. You can publish a link to individuals you would like to use the application. When they receive the link, they can sign in to the application. The first time a user accesses the application, the user will see a "user request received" notification as shown below, and the new user will be displayed on the administrator Action Required dashboard as shown below.
Once a new user request has been received, the Administrator can assign a role or delete the request. Click the role to display the available roles as shown below. The appropriate role can then be assigned.
If Delete Request is clicked, a confirmation message will be displayed as shown below. You can then confirm or cancel the deletion.
Custom Entity Attributes / Relying Party Overrides
Custom Entity Attributes can be added by an administrator. These attributes become options on the Relying Party Overrides section when configuring a Metadata Source or an Entity Attributes Filter.
To create an attribute, click the "Advanced" button in the upper right navigation and select "Custom entity attributes".
The user is presented a form to configure a new attribute. The following is a list of the Entity Attributes types:
- String (simple plain text)
- Boolean (allows options to store as a string or boolean value)
- List (list of strings with a default option)
- Long (stored as a string)
- Double (stored as a string)
- Duration (stored as a string in the ISO-8601 duration format)
- example: PT1H
- Spring Bean ID (stored as a string)
Form fields for creating a new attribute:
- Name: The name of the entry. used to uniquely identify this entry.
- Attribute Type: The type to use when displaying this option
- Attribute Friendly Name: This is the friendly name associated with the above attributeName.
- Attribute Name: This is the name of the attribute to be used in the xml. This is assumed to be a URI.
- Display Name: This will normally be the label used when displaying this override in the UI
- Help Text: This is the help-icon hover-over text
- Default Value: One or more values to be displayed as default options in the UI
- Persist Type: Optional. If it is necessary to persist something different than the override's display type, set that type here. For example, display a boolean, but persist a string.
- Persist Value: Required only when Persist Type is used. Defines the value to be persisted.
Attribute Release Bundles
Attribute Release bundles can be created as a convenience feature for metadata creators. This allows an administrator to select from the list of custom attributes defined in the `application.yml` file.
To create an attribute bundle, click the "Advanced" button in the upper right navigation and select "Attribute bundles".
The user is taken to the Attribute Bundles page. This page allows you to edit or delete an existing bundle, or add a new bundle.
Click the "Add bundle" button.
The user is presented with a form where they can enter a bundle name and select from the list of available attributes defined in the system.
Clicking "Save" will save this bundle and return the user to the Attributes Bundle page. Mousing over the list of bundled attributes will display the full list of attributes defined in the bundle, in case the list is too long to display in the bundle list table.
A user can select these bundles when creating a new Metadata Source or Entity Attributes Filter. On the Attribute Release page, the bundles are displayed above the list of attributes. Clicking the check button to the right of the bundle name will select the checkboxes below for the attributes in that bundle. This allows the user to select multiple bundles.
Groups
Groups can be defined by an administrator using the Groups page. Metadata sources and users can belong to a group, and each user may have a role within the context of that group. When a user is created in the system, they are added by default to their own user group which is generated at the same time, unless a specific group is specified. When a metadata source is created, that source is added to the group that the user who created it belongs to.
To create a group, click the "Advanced" button in the upper right navigation and select "Groups".
This takes the user to the Groups list page, where it is possible to edit or delete an existing group (except the ADMIN-GROUP; this group is required by the system.)
Click "Add new group" to create a new group.
The user is presented with a form to enter the group name, description, and a url validation regex. The url validation regex field is for administrators to define what entity IDs and assertion consumer service urls can be targeted by members of that group.
Clicking save will save the group and return the user to the groups list page.
At this point, an administrator can go back to the dashboard and select the "Admin" tab, where the new group will be added to the select boxes to the right of each user so that the user can be added to that group. A green notification will display when the user's group is updated successfully.
If a user who is a member of that new group creates a source, that source will be added to the group. Note that during this creation process, the source's Entity ID and any assertion consumer service endpoint URLs will be restricted to matching the regular expression defined on that member's group. For example, here is a failed validation on the Entity ID:
Once it has been corrected, the user can proceed with their metadata source definition:
Similarly, when defining Assertion Consumer Service Endpoints, the URL will be validated against the group's RegEx:
And once it is successful:
Once the group member saves the source, it will be added to the group. The source can then be updated / changed by an administrator.
Roles
An administrator can create custom roles to apply to users. These custom roles define the user's capability within the group. The special roles already defined are ROLE_ADMIN and ROLE_ENABLE. By default, a new user is given the role ROLE_USER.
To create a role, click the "Advanced" button in the upper right navigation and select "Roles".
This takes the user to the Roles list page, where it is possible to edit or delete an existing role (except the ROLE_ADMIN) role. This role is required by the system.
Click "Add new role" to create a new role.
The user is presented with a single text field to enter the name of the new role.
Entering a name and clicking "Save" will return the user to the roles list page, where the new role has been added to the list. A success message is displayed.
At this point, if the user returns to the dashboard and selects the "Admin" tag, the Role dropdown will be populated with the roles in the system, including any custom roles they have defined.
is an easy-to-use management dashboard to work with the latest releases of the Shibboleth IdP. The new Shibboleth IdP UI dashboard allows users to create and update new service providers to be integrated with IdPs using a friendly graphical user interface. IdP operators can come up to speed and integrate services quickly with minimal training and provides you with an opportunity to delegate IdP management more broadly throughout your organization.
Key Features of IdP UI
Setup Wizard
The Shibboleth IdP UI provides a wizard for adding or modifying creating service providers, metadata providers, and filters, which gives IdP staff and administrators the flexibility to modify existing IdPs. IdP staff will no longer need to understand the intricacies of multiple complex XML files and edit them just to integrate one new service.
Administrative Management
You can accomplish a significant portion of the IdP’s administrative management through Shibboleth IdPUI’s intuitive user interface, including post-installation modifications to Shibboleth IdP.
Integration Management
The Shibboleth IdP UI’s easy-to-understand dashboard and wizard provide the capability to integrate new service providers into the IdP, including managing the initial metadata setup and specifying special settings such as SP authentication overrides and attributes to be released.
Consistency with Shibboleth IdP Modifications
The most common and complex task IdP administrators need to deal with is the metadata and filter information that represent custom configurations of their IdP. Shibboleth IdP UI makes this easy, allowing staff to execute a onetime setup for the modification of selected IdP(s). This helps reduce the long-term maintenance and reduces operational costs.
Integrated Help
The Shibboleth IdP UI dashboard and wizard guide users to choose the right options by providing helpful information and tooltips throughout the setup process.
Security and Privacy Control
The Shibboleth IdP UI allows for the configuration of security policies for service providers such as encryption, signing and multi-factor configuration.
Dashboard
The Shibboleth IdP UI has five dashboard functions:
A Shibboleth IdP UI Administrator (Administrator) has the ability to view all of these.
Non-Administrator (ROLE_USER and ROLE_ENABLE) only have access to Metadata Source and Dynamic Registration dashboards. These users can only view sources and registration associated with their group.
Users belonging to groups that approve metadata sources and dynamic registrations created by other groups will have the Actions Required tab, but only have access to Approve Metadata Source and Approve Dynamic Registrations and only the sources and registrations created by the approvee's groups will be displayed.
Metadata Source Dashboard
Metadata sources in Shibboleth IdP UI are individual metadata artifacts describing single entities, typically relying parties. The Metadata Source Dashboard displays the metadata sources that have been created using the Shibboleth IdP UI application and with the following information:
- Title of metadata source
- Entity ID
- Authentication Protocol
- Author
- Creation Date
- Approval status
- Enabled status
- Group association
On this screen the Administrator can perform the following functions:
- Search for a specific metadata source
- Access a metadata source configurations
- Enable or disable a metadata source
- Assign the metadata source to a group
- Delete a metadata source
Metadata Source Search
Users can search for metadata sources by their title, entity ID, authentication code, or author. To perform a search:
- Log into Shibboleth IdP UI as an Administrator or user with ROLE_USER or user with ROLE_ENABLE.
- Navigate to the Dashboard → Metadata Sources tab.
- Click in the Search Files field and start typing your search term.
NOTE: As you start typing in the search field, the list will reduce to show only those metadata sources that match what you have typed.
Enable Metadata Source
Administrators and users with ROLE_ENABLE can enable/disable metadata source. If the metadata source is added by a User, a request will be sent to enable the source. To enable a source from the Metadata SourceDashboard:
- Log into Shibboleth IdP UI as an Administrator or user with ROLE_ENABLE.
- Navigate to the Dashboard → Metadata Sources tab.
- Toggle the Enabled switch ON.
...