I’ve been working on the Shibboleth project, trying to implement the identity management framework and trying to extend it. You’ll have to wait for a paper or thesis for more details about the work we’re actually doing.
In essence, the Shibboleth (shib) Identity Provider (IdP) authenticates a user and releases certain attributes of the user to the Service Provider (SP). The standard implementation of the IdP can extract attributes from the filesystem, an LDAP server or an RDBMS. If you want to retrieve attributes from some obscure place (like your application specializing in dynamically generating some attributes), you need to write your own data connector. Here are the steps you need to take in order to create a new data connector: (I’m assuming you’re using the IdP provided by Internet2 – written in Java)
- Add a dataconnector to shibboleth-2.0-attribute-resolver-dc.xsd in src/main/resources/schema
- Add resolver-new-connector.xml where resolver-ldap.xml is (this is only for the tests through)
- Add new-connectorfactorybean.java where ldapconnectorfactorybean.java is.
- Add new-connectorbeandefinitionparser.java where ldapconnectorbeandefinitionparser.java is.
- Add new-dataconnector.java to common.attribute.resovler.provider.dataconnector
- Register the new bean parsers… this one’s a little tricky… See code for details.
After that, you need to write the relevant XML in conf/attribute-resolver.xml and conf/attribute-filter.xml to release the new attribute. Also, you need to write an attribute map on the SP side to map the new attribute to a header.
I’m sure this doesn’t make much sense right now but we’ll be releasing the code of our data connector pretty soon inshaallah and you’ll be able to see the whole thing work. Stay tuned.