New UK federation Shibboleth extension now available

Posted on Thursday, 5 July 2012

The UK federation has developed a Shibboleth IdP extension which lets the identity provider release an attribute which is dependent on the user's IP address. So, for example, the IdP could release an entitlement indicating that a student was logging in from the campus network.

This allows the user's IP address to be used to be matched against policy rules to inform service providers about the user's network location.

An example of how this could be used would be where a license has different terms for on-site and home use. The “user agent attribute” could then be used to define which locations were permissible for a particular use case. In the context of a resource that had terms in its license that meant it should only be access when supervised by a teacher (in a schools context), it would allow the resource provider to prevent a user accessing the content when outside a school.

The source repository for the extension can be found here:

https://github.com/ukf/ua-attribute-idp-ext

If would like to try it out on an IdP, you can download a binary package with installation instructions from here:

http://ukf.github.io/downloads/

The extension works with the latest IdP (2.3.X), in both SAML 1.1 and SAML 2.0, and for both front-channel and back-channel attribute transmission.

The configuration is generic enough to allow you to create multiple attributes, each with multiple values dependent on matches against the user agent's IP address at the time of authentication.

We would welcome feedback on the extension, particularly specific use cases that people may use it for.

For that, or any other questions concerning the extension please don’t hesitate to contact the federation helpdesk.

Edited by SteveGlover on 06 April 2013, at 05:31 PM