Skip to content

Instantly share code, notes, and snippets.

@AshMartian

AshMartian/attribute-resolver.xml

Created May 5, 2017 15:15
Show Gist options
  • Save AshMartian/2ffc2a2da2eb702d1cede4ca3352585a to your computer and use it in GitHub Desktop.
Save AshMartian/2ffc2a2da2eb702d1cede4ca3352585a to your computer and use it in GitHub Desktop.
Download ZIP
Shibboleth Attribute Resolver
Raw
attribute-resolver.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is an EXAMPLE configuration file. While the configuration
presented in this example file is semi-functional, it isn't very
interesting. It is here only as a starting point for your deployment
process.
Very few attribute definitions and data connectors are demonstrated,
and the data is derived statically from the logged-in username and a
static example connector.
Attribute-resolver-full.xml contains more examples of attributes,
encoders, and data connectors. Deployers should refer to the Shibboleth
documentation for a complete list of components and their options.
-->
<resolver:AttributeResolver
xmlns:resolver="urn:mace:shibboleth:2.0:resolver"
xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad"
xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder"
xmlns:sec="urn:mace:shibboleth:2.0:security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
urn:mace:shibboleth:2.0:resolver:pc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-pc.xsd
urn:mace:shibboleth:2.0:resolver:ad http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-ad.xsd
urn:mace:shibboleth:2.0:resolver:dc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd
urn:mace:shibboleth:2.0:attribute:encoder http://shibboleth.net/schema/idp/shibboleth-attribute-encoder.xsd
urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd">
<!-- ========================================== -->
<!-- Attribute Definitions -->
<!-- ========================================== -->
<!--
The EPPN is the "standard" federated username in higher ed.
For guidelines on the implementation of this attribute, refer
to the Shibboleth and eduPerson documentation. Above all, do
not expose a value for this attribute without considering the
long term implications.
-->
<!--
The uid is the closest thing to a "standard" LDAP attribute
representing a local username, but you should generally *never*
expose uid to federated services, as it is rarely globally unique.
-->
<!--<resolver:AttributeDefinition id="uid" xsi:type="ad:Scoped" scope="%{idp.scope}" sourceAttributeID="uid">
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
</resolver:AttributeDefinition>-->
<resolver:AttributeDefinition xsi:type="PrincipalName" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
id="uid" />
<resolver:DataConnector xsi:type="dc:LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc" id="psdldap" ldapURL="ldap://ldap-ip" baseDN="ou=psd,dc=peninsula,dc=wednet,dc=edu" principal="CN=username,OU=Service,OU=Misc,OU=NOC,OU=PSD,DC=Peninsula,DC=Wednet,DC=edu" principalCredential="password" lowercaseAttributeNames="true" useStartTLS="false">
<dc:FilterTemplate>(samaccountname=$requestContext.principalName)</dc:FilterTemplate>
<ReturnAttributes>givenname sn mail employeetype distinguishedname samaccountname department memberof</ReturnAttributes>
</resolver:DataConnector>
<resolver:AttributeDefinition id="login_id" xsi:type="ad:Simple" sourceAttributeID="samaccountname">
<resolver:Dependency ref="psdldap" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:login_id" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="login_id" friendlyName="login_id" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="user_id" xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad" >
<resolver:Dependency ref="psdldap" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:user_id" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="id" friendlyName="user_id" />
<Script><![CDATA[
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
if (user_id == null) {
user_id = new BasicAttribute("user_id");
}
user_id.getValues().add("psd_" + samaccountname.getValues().get(0));
]]></Script>
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="givenname" xsi:type="ad:Simple"
sourceAttributeID="givenname">
<resolver:Dependency ref="psdldap" />
<!-- no encoder needed -->
<resolver:AttributeEncoder
xsi:type="enc:SAML2String"
name="givenName"
friendlyName="givenName" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="sn" xsi:type="ad:Simple"
sourceAttributeID="sn">
<resolver:Dependency ref="psdldap" />
<!-- no encoder needed -->
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="familyname" xsi:type="ad:Simple"
sourceAttributeID="sn">
<resolver:Dependency ref="psdldap" />
<!-- no encoder needed -->
<resolver:AttributeEncoder
xsi:type="enc:SAML2String"
name="familyName"
friendlyName="familyName" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="username" xsi:type="ad:Simple"
sourceAttributeID="samaccountname">
<resolver:Dependency ref="psdldap" />
<!-- no encoder needed -->
<resolver:AttributeEncoder
xsi:type="enc:SAML2String"
name="urn:mace:dir:attribute-def:username"/>
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="homeroom-username" xsi:type="ad:Simple"
sourceAttributeID="samaccountname">
<resolver:Dependency ref="psdldap" />
<!-- no encoder needed -->
<resolver:AttributeEncoder
xsi:type="enc:SAML2String"
name="externalApplicationUserName"/>
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="uid" xsi:type="ad:Simple"
sourceAttributeID="samaccountname">
<resolver:Dependency ref="psdldap" />
<!-- no encoder needed -->
<resolver:AttributeEncoder
xsi:type="enc:SAML2String"
name="uid"/>
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="group" xsi:type="ad:Simple"
sourceAttributeID="memberof" >
<resolver:Dependency ref="psdldap" />
<!-- no encoder needed -->
<resolver:AttributeEncoder
xsi:type="enc:SAML2String"
name="group"
friendlyName="group" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="mail" xsi:type="ad:Simple"
sourceAttributeID="mail" >
<resolver:Dependency ref="psdldap" />
<!-- no encoder needed -->
<resolver:AttributeEncoder
xsi:type="enc:SAML2String"
name="mail"
friendlyName="mail" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="email" xsi:type="ad:Simple"
sourceAttributeID="mail" >
<resolver:Dependency ref="psdldap" />
<!-- no encoder needed -->
<resolver:AttributeEncoder
xsi:type="enc:SAML2String"
name="email"
friendlyName="email" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="mail" xsi:type="ad:Simple"
sourceAttributeID="mail" >
<resolver:Dependency ref="psdldap" />
<!-- no encoder needed -->
<resolver:AttributeEncoder
xsi:type="enc:SAML2String"
name="mail"
friendlyName="mail" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="fullname">
<!-- Dependency information would go here -->
<resolver:Dependency ref="givenname" />
<resolver:Dependency ref="sn" />
<resolver:AttributeEncoder
xsi:type="enc:SAML2String"
name="User.name"/>
<Script><![CDATA[
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
if (fullname == null) {
fullname = new BasicAttribute("fullname");
}
fullname.getValues().add(givenname.getValues().get(0) + " " + sn.getValues().get(0));
]]></Script>
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="User.FirstName" xsi:type="ad:Simple"
sourceAttributeID="givenname">
<resolver:Dependency ref="psdldap" />
<!-- no encoder needed -->
<resolver:AttributeEncoder
xsi:type="enc:SAML2String"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
name="User.FirstName" friendlyName="User.FirstName" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="User.LastName" xsi:type="ad:Simple"
sourceAttributeID="sn">
<resolver:Dependency ref="psdldap" />
<!-- no encoder needed -->
<resolver:AttributeEncoder
xsi:type="enc:SAML2String"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
name="User.LastName" friendlyName="User.LastName" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="User.email" xsi:type="ad:Simple"
sourceAttributeID="mail" >
<resolver:Dependency ref="psdldap" />
<!-- no encoder needed -->
<resolver:AttributeEncoder
xsi:type="enc:SAML2StringNameID"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
nameQualifier="https://psdts.freshdesk.com/login/saml" />
<resolver:AttributeEncoder
xsi:type="enc:SAML2StringNameID"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
nameQualifier="https://api.schooldata.net/dev/access/SDS_PeninsulaTestSchoolDistrict/saml" />
<resolver:AttributeEncoder
xsi:type="enc:SAML2StringNameID"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
nameQualifier="https://martinb.jamfcloud.com/saml/metadata" />
<resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
<resolver:AttributeEncoder
xsi:type="enc:SAML1String"
name="urn:mace:dir:attribute-def:email" />
<resolver:AttributeEncoder
xsi:type="enc:SAML2String"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
name="User.email" friendlyName="User.email" />
<resolver:AttributeEncoder
xsi:type="enc:SAML2StringNameID"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="User.Username" xsi:type="ad:Simple"
sourceAttributeID="sn">
<resolver:Dependency ref="psdldap" />
<!-- no encoder needed -->
<resolver:AttributeEncoder
xsi:type="enc:SAML2String"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
name="User.Username" friendlyName="User.Username" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="department" xsi:type="ad:Simple"
sourceAttributeID="department">
<resolver:Dependency ref="psdldap" />
<!-- no encoder needed -->
<resolver:AttributeEncoder
xsi:type="enc:SAML2String"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
name="department" friendlyName="department" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="role">
<!-- Dependency information would go here -->
<resolver:Dependency ref="uid" />
<resolver:Dependency ref="psdldap" />
<resolver:AttributeEncoder
xsi:type="enc:SAML2String"
name="role"/>
<Script><![CDATA[
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
importPackage(Packages.org.slf4j);
logger = LoggerFactory.getLogger("LDP_PSD");
if (role == null) {
role = new BasicAttribute("role");
}
is_Staff = employeetype != null && employeetype.getValues().contains("Staff");
logger.info("Name of testing were: " + uid.getValues().get(0));
logger.info("Email of testing is: " + mail.getValues().get(0));
logger.info("Last Name of testing is: " + sn.getValues().get(0));
logger.info("LDAP of testing were: " + employeetype.getValues().get(0));
if (is_Staff) { role.getValues().add("teacher"); };
if (!is_Staff) { role.getValues().add("student"); };
]]></Script>
</resolver:AttributeDefinition>
<resolver:AttributeDefinition xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="timestamp">
<!-- Dependency information would go here -->
<resolver:AttributeEncoder
xsi:type="enc:SAML2String"
name="timestamp"/>
<Script><![CDATA[
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
if (timestamp == null) {
timestamp = new BasicAttribute("timestamp");
}
timestamp.getValues().add((new Date).getTime().toString());
]]></Script>
</resolver:AttributeDefinition>
<!--
This is an example of an attribute sourced from a data connector.
-->
<resolver:AttributeDefinition id="eduPersonAffiliation" xsi:type="ad:Scoped" scope="%{idp.scope}" sourceAttributeID="affiliation">
<resolver:Dependency ref="staticAttributes" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonAffiliation" encodeType="false" />
</resolver:AttributeDefinition>
<!-- ========================================== -->
<!-- Data Connectors -->
<!-- ========================================== -->
<resolver:DataConnector id="staticAttributes" xsi:type="dc:Static">
<dc:Attribute id="affiliation">
<dc:Value>member</dc:Value>
</dc:Attribute>
</resolver:DataConnector>
<resolver:PrincipalConnector xsi:type="pc:Transient" id="saml2Transient" nameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress" />
</resolver:AttributeResolver>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment