Latest Release‎ > ‎Configuration‎ > ‎

policy.conf

The policy.conf file controls what types of authentication methods (e.g. Shibboleth, OpenId) are permissible and how authentications from those methods are converted into X.509 credentials.

The basic format of the file is as following. The AuthMethod element is for a particular authentication method. The IdPNameSpace element defines a wildcard which should match identity providers. Inside that element, the DN variable defines how distinguished names should be generated for that namespace. The comment is used for logging to more clearly identify the IdP's namespace, and can be any value desired.

<AuthMethod Shibboleth>
  ShibbolethRelativeDN "o=Shibboleth, ${RelativeDN}"
  <IdPNameSpace urn:mace:incommon:*>
    Comment InCommon IdPs
    DN "cn=${UserId}, ou=${IdPId}, ${ShibbolethRelativeDN}"
  </IdPNameSpace>
</AuthMethod>

A pound character (#) indicates a comment. Everything from the # to the end of the line is ignored.

The configuration is parsed with the Config::General module. For details, please see its documentaion.

A string such a ${var} is replaced with the variable as defined elsewhere in the section or outside the section.

The variables ${UserId} and ${IdPId} will be defined by the parsing code to the the identity provider and user identifier of the user in question.

Additionally any attributes collected from the web authentication will be available. Currently, since OpenID attributes are not yet supported, this is meaningful only for Shibboleth. For a complete list of Shibboleth attributes available, please see the documentation for ShibLogon.pm. Here is an example policy using Shibboleth attrbutes:

<AuthMethod Shibboleth>
  ShibbolethRelativeDN "o=Shibboleth, ${RelativeDN}"
  <IdPNameSpace urn:mace:incommon:*>
    Comment InCommon IdPs
    DN "cn=${HTTP_EPPN}, ou=${IdPId}, ${ShibbolethRelativeDN}"
  </IdPNameSpace>
</AuthMethod>

Comments