[[DocuSign]]
Trace: Idpv3x-c8 IDP v4 as proxy
Show pageOld revisions
AdminRecent ChangesSitemap

* ancien site

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
docpublic:systemes:shibboleth:docusign [2021/01/28 10:13]
procacci@tem-tsp.eu [DocuSign SP Metadata] 		docpublic:systemes:shibboleth:docusign [2023/10/24 14:46] (current)
adminjp [shib IDP attribute-resolver]
Line 2: Line 2:
  
 This page shows how to enable a shibboleth IDP v4 to authenticate and send attributes to a DocuSign Service Provider .  This page shows how to enable a shibboleth IDP v4 to authenticate and send attributes to a DocuSign Service Provider . 
 +
 +external references :
 +
 +  * https://wiki.shibboleth.net/confluence/display/IDP4/Home
 +  * https://support.docusign.com/fr/guides/org-admin-guide
  
 ===== DocuSign demo SP ===== ===== DocuSign demo SP =====
Line 33: Line 38:
 {{:docpublic:systemes:shibboleth:shib-docusign-sp-idp-end-points-definition.png?300|}} {{:docpublic:systemes:shibboleth:shib-docusign-sp-idp-end-points-definition.png?300|}}
  
-We also set thet we use signe AuthN an use Post Method . +We also set that we use signed AuthN and use Post Method . 
 ==== DocuSign SP Metadata ==== ==== DocuSign SP Metadata ====
  
Line 55: Line 60:
 === SP metadata certificate === === SP metadata certificate ===
  
-the ducosing SP certificate is included in these frashly downloaded metadata, we can extract it to a dedicated file that will be loaded in our metadata-provider for sign checking .+the DocuSign SP certificate is included in these freshly downloaded metadata, we can extract it to a dedicated file that will be loaded in our metadata-provider for sign checking .
  
 get certificate from SP metadata element X509Certificate :  get certificate from SP metadata element X509Certificate : 
Line 136: Line 141:
 </code> </code>
    
 +==== NameID ====
  
 +DocuSign expect by default an identifier (SAML NameID) that is persistent and mapped to the mail attribute . By default and design for dataProtection, shibboleth IDP  uses a transcient NameID with a random value . So we need to define a persistent NameID based on the mail attibute for seamless authN with Docusign . 
 +
 +this is done in saml-nameid.xml with activating ** <ref bean="shibboleth.SAML2PersistentGenerator" /> ** and associated saml-nameid.properties :
 +
 +<code>
 +[root@idptest conf]# vim saml-nameid.xml
 +
 + <!-- SAML 2 NameID Generation -->
 +    <util:list id="shibboleth.SAML2NameIDGenerators">
 +
 +        <ref bean="shibboleth.SAML2TransientGenerator" />
 +
 +        <!-- Uncommenting this bean requires configuration in saml-nameid.properties. -->
 +        <!-- Jehan -->
 +        <ref bean="shibboleth.SAML2PersistentGenerator" />
 +        <!--
 +        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
 +            p:omitQualifiers="true"
 +            p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"
 +            p:attributeSourceIds="#{ {'mail'} }" >
 +                        <property name="activationCondition">
 +                        <bean parent="shibboleth.Conditions.RelyingPartyId"
 +                        c:candidate="https://account-d.docusign.com/organizations/cd450-d4aa-4f12-9b59-1160332/saml2"
 +                        />
 +                        </property>
 +                        </bean>
 +           -->
 +    </util:list>
 +</code>
 +
 +I keept shibboleth.SAML2AttributeSourcedGenerator as commented for example above, that was a way to designated a **candidate** SP dedicated to that NameID Generator, but finally here in this test IDP for docusign , default is persistent ID for all . 
 +
 +in  **saml-nameid.properties** we define the use of the mail attribute associated with a Salt 
 +here the **idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator** is defined (no need for a database storage)
 +
 +<code>
 +idp.persistentId.useUnfilteredAttributes = true
 +idp.persistentId.sourceAttribute = mail
 +idp.persistentId.encoding = BASE64
 +#jehan
 +idp.persistentId.algorithm = SHA
 +idp.persistentId.salt = secretpassfor202101isi # needs to long enough ! 
 +
 +# To use a database, use shibboleth.StoredPersistentIdGenerator
 +idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator
 +</code>
 +
 +authN is associated with the authn Flow Password process in the IDP:
 +
 +<code>
 +[root@idpt conf]# grep authn.flows idp.properties
 + idp.authn.flows=Password
 +</code>
 +
 +and define the ldap backend with a filter based on mail attribute : 
 +
 +<code>
 +[root@idptest conf]# vim ldap.properties
 +idp.authn.LDAP.userFilter                       = (&(mail={user})(employeeType=Permanent))
 +##idp.attribute.resolver.LDAP.searchFilter        = (uid=$resolutionContext.principal)
 +idp.attribute.resolver.LDAP.searchFilter        = (mail=$resolutionContext.principal)
 +</code>
 +
 +
 +==== Mapped Attributes ====
 +
 +Now that authN is configured , we also need to send attributes to DocuSign SP in order to match mandatory attributes at first connexion in order to dynamically create account. 
 +these are the mandatory attributes : 
 +
 +  * sn (surname)
 +  * givenName
 +  * mail 
 +
 +and optionnally
 +
 +  * permissionProfileId
 +
 +this one allows to match a permission profile at login, for example sending a employeetyp attribute for Staff people could set their default profile to DS-Sender and for employeetype: employee  associated the default profile to simple DS-viewer . 
 +
 +:!: beware that these attributes are define in the interface with their urn/oid code, the "firendlyNames" sn , givenName, mail .... are not mapped :!: 
 +
 +{{:docpublic:systemes:shibboleth:shib-docusign-sp-idp-attributes.png?300|}}
 +
 +
 +===== shib IDP attribute-resolver =====
 +
 +In the IDP we use the **attribute-resolver-ldap.xml** (or attribute-resolver.xml)  file to define our customized for DocuSign for NameID mail attribute and permission (employeeType)  attribute . 
 +
 +<code>
 +[root@idptest conf]# grep attribute-resolver-ldap.xml services.xml
 +        <value>%{idp.home}/conf/attribute-resolver-ldap.xml</value>
 +</code>       
 +
 +==== mapped attributes ====
 +
 +in order to map DocuSign domains ID to our mail domains we need to map values 
 +
 +attribute-resolver.xml mapped employeType
 +
 +<code>
 +<AttributeDefinition id="employeeType" xsi:type="Mapped">
 +
 +   <InputDataConnector ref="passthroughAttributes" attributeNames="mail" />
 +    <DefaultValue passThru="false"/>
 +<!-- Values Prod -->
 +     <ValueMap>
 +        <ReturnValue>1601</ReturnValue>
 +        <SourceValue caseSensitive="false">(.+)@imte.fr</SourceValue>
 +    </ValueMap>
 +    <ValueMap>
 +        <ReturnValue>1604</ReturnValue>
 +        <SourceValue caseSensitive="false">(.+)@imte-atlantic.fr</SourceValue>
 +    </ValueMap>
 +...
 + <ValueMap>
 +        <ReturnValue>16049193</ReturnValue>
 +        <SourceValue caseSensitive="false">(.+)@mines-ste.fr</SourceValue>
 +    </ValueMap>
 +
 + </AttributeDefinition>
 +
 +</code>
 +
 +idem for staticDSAccountID
 +
 +<code>
 +<AttributeDefinition id="staticDSAccountID" xsi:type="Mapped">
 +   <InputDataConnector ref="passthroughAttributes" attributeNames="mail" />
 +         <AttributeEncoder xsi:type="SAML2String"
 +          name="urn:oid:1.3.6.1.4.1.7391.5" friendlyName="staticDSAccountID" />
 +    <DefaultValue passThru="false"/>
 +    <!-- Values DocuSign Prod -->
 +    <!-- <ValueMap>
 +        <ReturnValue>14219580-a3e2</ReturnValue>
 +        <SourceValue caseSensitive="false">(.+)@imte.fr</SourceValue>
 +    </ValueMap> -->
 +    <ValueMap>
 +        <ReturnValue>24035b51-b871-</ReturnValue>
 +        <SourceValue caseSensitive="false">(.+)@imte.fr</SourceValue>
 +    </ValueMap>
 +    <ValueMap>
 +        <ReturnValue>76919292-2f64</ReturnValue>
 +        <SourceValue caseSensitive="false">(.+)@imte-atlantic.fr</SourceValue>
 +    </ValueMap>
 +...
 +  <ValueMap>
 +        <ReturnValue>557f440a-a124</ReturnValue>
 +        <SourceValue caseSensitive="false">(.+)@mines-ste.fr</SourceValue>
 +    </ValueMap>
 + </AttributeDefinition>
 +</code>
 +
 +==== Mail rewriting ====
 +
 +because on our campus we use 3 domains names in our users mail addresses, in order to simplify DocuSign domain claims and IDP declaration (+ metadata) , we recorded only one domain at DocuSign SP and manage to rewrite dynamically on our  IDP side the 2 other domains to the 1st one , which is the only one declared on DocuSign .
 +
 +To do that we uses a Mapped Attribute definition like this : 
 +
 +<code>        
 + [root@idptest conf]# vim attribute-resolver-ldap.xml
 +<AttributeDefinition id="mail" xsi:type="Mapped">
 +        <AttributeEncoder xsi:type="SAML1String"
 +                name="urn:mace:dir:attribute-def:mail" />
 +        <AttributeEncoder xsi:type="SAML2String"
 +                name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
 +
 +   <InputDataConnector ref="myLDAP" attributeNames="mail" />
 +    <DefaultValue passThru="true"/>
 +    <ValueMap>
 +        <ReturnValue>$1@domain1.eu</ReturnValue>
 +        <SourceValue>(.+)@domain2.eu</SourceValue>
 +    </ValueMap>
 +    <ValueMap>
 +        <ReturnValue>$1@domain1.eu</ReturnValue>
 +        <SourceValue>(.+)@domain3.eu</SourceValue>
 +    </ValueMap>
 + </AttributeDefinition>
 +</code>
 +
 +when a user connect with it's email address of givenName.Surname@**domain2**.eu , it is finally transmited to DocuSign SP as givenName.Surname@**domain1**.eu . 
 +
 +==== Permission map ====
 +
 +We also used a mapped attribute definition in oder to match Roles/Permission of DS-Sender vs DS-viewer , repectivelly  1122394 and 1122395
 +
 +<code>
 +<AttributeDefinition id="employeeType" xsi:type="Mapped">
 +
 +   <InputDataConnector ref="myLDAP" attributeNames="employeeType" />
 +    <DefaultValue passThru="false"/>
 +    <ValueMap>
 +        <ReturnValue>1122394</ReturnValue>
 +        <SourceValue caseSensitive="false">Permanent</SourceValue>
 +    </ValueMap>
 +    <ValueMap>
 +        <ReturnValue>1122395</ReturnValue>
 +        <SourceValue partialMatch="true" caseSensitive="false">Doctorant</SourceValue>
 +    </ValueMap>
 +    <ValueMap>
 +        <ReturnValue>1122395</ReturnValue>
 +        <SourceValue partialMatch="true" caseSensitive="false">Vacataire</SourceValue>
 +    </ValueMap>
 + </AttributeDefinition>
 +</code>
 +
 +==== static AttributeDefinition for AccountID ====
 +
 +DocuSign support told us also to send a static value for the accoundID so that automatic profile affectation could be done
 +
 +we can get our API account ID from the E-Signature parameter screen , left menu => API-Keys
 +
 +{{:docpublic:systemes:shibboleth:shib-docusign-sp-accoundid.png?300|}}
 +
 +then we need our IDP to map and send that static value for everyone, so we creted a staticDataconnector and the associated decated static AttributeDefinition for thos DocuSign authZ feature with the creation of a custom staticDSAccountID attribute : 
 +
 +references :
 +
 +  * https://wiki.shibboleth.net/confluence/display/IDP4/StaticDataConnector
 +  * https://wiki.shibboleth.net/confluence/display/IDP4/SimpleAttributeDefinition
 +
 +in conf/attribute-resolver-ldap.xml
 +
 +<code>
 +
 +   <!-- disi JP for DocuSign -->
 +
 +<AttributeDefinition xsi:type="Simple" id="staticDSAccountID">
 +        <InputDataConnector ref="staticAttributes" attributeNames="staticDSAccountID" />
 +         <AttributeEncoder xsi:type="SAML2String"
 +                name="urn:oid:1.3.6.1.4.1.7399.1.1.1.1" friendlyName="staticDSAccountID" />
 +</AttributeDefinition>
 +
 +        <DataConnector id="staticAttributes" xsi:type="Static">
 +                <Attribute id="staticDSAccountID">
 +                        <Value>ai4dc9cfa7-dd39-aad1-884c-2f9b17574224</Value>
 +                </Attribute>
 +        </DataConnector>
 +        </AttributeResolver>
 +</code>
 +
 +==== Special case when unsing NAT ( checkAddress="false" ) ====
 +
 +clients in specific site which don't have many public IPs addresses use NAT , and it breaks the flow of using a proxied IDP 
 +In that case we must disable "checkAddress" in the IDP (as proxy)  configuration . 
 +
 +Analagous to the SP, there's a checkAddress setting on the SAML2.SSO profile configuration bean.
 +
 +https://wiki.shibboleth.net/confluence/display/IDP4/SAML2SSOConfiguration#55804373d9264505e7b248218c3ea26c3fd35a11
 +
 +
 + from examples in the doc: 
 +  * https://wiki.shibboleth.net/confluence/display/IDP4/RelyingPartyConfiguration
 +I understand that I can specify the checkAddress attribute only for those "2nd Hand/backends" IDPs of my idp-proxy by listing them specifically in relying-party.xml :
 +<code>
 +<util:list id="shibboleth.RelyingPartyOverrides">
 + <bean id="proxyBackendIdps" parent="RelyingPartyByName">
 +                 <constructor-arg name="relyingPartyIds">
 +                <list>
 +                        <value>https://idp.school1.fr/idp/shibboleth</value>
 +                        <value>https://idp.school2.fr/idp/shibboleth</value>
 +                        <value>https://multipass.school3.fr/idp/shibboleth</value>
 +                </list>
 +                </constructor-arg>
 +            <property name="profileConfigurations">
 +                <list>
 +                    <bean parent="SAML2.SSO" p:checkAddress="false" />
 +                </list></property> </bean> </util:list>
 +</code>
docpublic/systemes/shibboleth/docusign.1611828787.txt.gz · Last modified: 2021/01/28 10:13 by procacci@tem-tsp.eu
Show pageOld revisions
[unknown link type]Back to top
CC Attribution-Noncommercial-Share Alike 4.0 International
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0