Our SSO (AuthType shibboleth) is used, clarify details (e. g. for group query) with ZID!
The file attribute-map.xml looks like this:
<Attribute name="urn:oid:CO-TCSMAIL-C" id="TCSMAIL" /> <Attribute name="urn:oid:CO-ACCOUNTTYPE-STATUS-C-oid" id="STATUS" /> <Attribute name="urn:oid:TUGONLINE-GROUPMEMBERSHIP" id="groupMembership" /> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="ASSURANCE" />Such lines are then to be entered in the httpd.conf:
Example for data classified as TLP:WHITE , TLP:GREEN or TLP:AMBER
<VirtualHost *:80> ServerName your_server.tugraz.at Redirect permanent / https://your_server.tugraz.at/ <VirtualHost> <VirtualHost your_server.tugraz.at:443> ServerName your_server.tugraz.at … DocumentRoot /path/to/white … <Directory "/path/to/green/"> AuthType shibboleth ShibRequireSession On <RequireAll> Require shib-attr STATUS ~ BEDIENSTETE:OK </RequireAll> </Directory> … <Directory "/path/to/amber/"> AuthType shibboleth ShibRequireSession On <RequireAll> Require shib-attr groupMembership "CN=…" </RequireAll> </Directory> </VirtualHost>
Data classified as
TLP:RED
should ideally not end up on a publicly accessible web server at all, as they
could become public in the event of a misconfiguration or an attack.
However, if the web server serves as an archive, for example, access should be
restricted to very few authorised users:
<Directory "/path/to/red/"> AuthType shibboleth ShibRequireSession On require valid-user <RequireAll> Require shib-attr USERNAME your_username </RequireAll> </Directory>or
<Directory "/path/to/red/"> AuthType shibboleth ShibRequireSession On require valid-user <RequireAll> Require shib-attr TCSMAIL your_email_address </RequireAll> </Directory>
# ungeprüfte Identität: # der User hat seine Daten eingegeben, diese wurden aber von Mitarbeitenden # der TU Graz noch nicht verifiziert # geprüft Identität: # die vom User eingegeben Daten wurden von Mitarbeitenden gegen eine Kopie # eines amtlichen Lichtbildausweises geprüft # # 1 = 00000000001 # ungeprüfte Identität (ungeprüft) # 2 = 00000000010 # Basisanwender/Studierendenvoranmeldung (ungeprüft) # (= über TUGRAZonline) # 4 = 00000000100 # Basisanwender/Bulk-Registrierung (ungeprüft) # (= über TUGRAZonline) # 8 = 00000001000 # Basisanwender/Selbstregistrierung (geprüft) # (= über Keycloak) # 16 = 00000010000 # Mitarbeitende (geprüft) # (= Bediensteten Profil) # 32 = 00000100000 # Alumni (geprüft) (= Alumni Profil) # 64 = 00001000000 # Studierende/TU (geprüft) (= Studierenden Profil) # 128 = 00010000000 # Studierende/Mitbeleger NAWI (geprüft) # (= Studierenden Profil + NAWI Studium) # 256 = 00100000000 # Studierende/Mitbeleger Entwicklungsverbund Süd-Ost (geprüft) # (= Studierenden Profil + Lehramtsstudium) # 512 = 01000000000 # externe Lehrende # (Studienkooperationen z.b. NAWI, ohne DV zur TU Graz) # 1024 = 10000000000 # Benutzer aus Förderation (fremd geprüft) # (über Keycloak) # set binary_array = (0 0 0 0 0 0 0 0 0 0 0) @ length = 12 # convert to binary @ binary = $ASSURANCE while ($binary > 0) @ length -- @ digit = $binary % 2 @ binary_array[$length] = $digit @ binary /= 2 end if ($binary_array[11] == 1) echo "ungeprüft " if ($binary_array[10] == 1) echo "Basisanwender/in (Voranmeldung) " if ($binary_array[9] == 1) echo "Basisanwender/in (Bulk) " if ($binary_array[8] == 1) echo "Basisanwender/in (Selbstregistrierung) " if ($binary_array[7] == 1) echo "Mitarbeiter/in " if ($binary_array[6] == 1) echo "Alumni " if ($binary_array[5] == 1) echo "Studierende/r " if ($binary_array[4] == 1) echo "NAWI Graz " if ($binary_array[3] == 1) echo "Lehramtsstudium " if ($binary_array[2] == 1) echo "Externe/r Lehrende/r " if ($binary_array[1] == 1) echo "Föderation" # Example: # ASSURANCE = 112 = 00001110000 # → Mitarbeiter/in Alumni Studierende/r