Created
May 5, 2017 15:15
-
-
Save AshMartian/2ffc2a2da2eb702d1cede4ca3352585a to your computer and use it in GitHub Desktop.
Shibboleth Attribute Resolver
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<!-- | |
This file is an EXAMPLE configuration file. While the configuration | |
presented in this example file is semi-functional, it isn't very | |
interesting. It is here only as a starting point for your deployment | |
process. | |
Very few attribute definitions and data connectors are demonstrated, | |
and the data is derived statically from the logged-in username and a | |
static example connector. | |
Attribute-resolver-full.xml contains more examples of attributes, | |
encoders, and data connectors. Deployers should refer to the Shibboleth | |
documentation for a complete list of components and their options. | |
--> | |
<resolver:AttributeResolver | |
xmlns:resolver="urn:mace:shibboleth:2.0:resolver" | |
xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc" | |
xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" | |
xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc" | |
xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder" | |
xmlns:sec="urn:mace:shibboleth:2.0:security" | |
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd | |
urn:mace:shibboleth:2.0:resolver:pc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-pc.xsd | |
urn:mace:shibboleth:2.0:resolver:ad http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-ad.xsd | |
urn:mace:shibboleth:2.0:resolver:dc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd | |
urn:mace:shibboleth:2.0:attribute:encoder http://shibboleth.net/schema/idp/shibboleth-attribute-encoder.xsd | |
urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd"> | |
<!-- ========================================== --> | |
<!-- Attribute Definitions --> | |
<!-- ========================================== --> | |
<!-- | |
The EPPN is the "standard" federated username in higher ed. | |
For guidelines on the implementation of this attribute, refer | |
to the Shibboleth and eduPerson documentation. Above all, do | |
not expose a value for this attribute without considering the | |
long term implications. | |
--> | |
<!-- | |
The uid is the closest thing to a "standard" LDAP attribute | |
representing a local username, but you should generally *never* | |
expose uid to federated services, as it is rarely globally unique. | |
--> | |
<!--<resolver:AttributeDefinition id="uid" xsi:type="ad:Scoped" scope="%{idp.scope}" sourceAttributeID="uid"> | |
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" /> | |
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" /> | |
</resolver:AttributeDefinition>--> | |
<resolver:AttributeDefinition xsi:type="PrincipalName" xmlns="urn:mace:shibboleth:2.0:resolver:ad" | |
id="uid" /> | |
<resolver:DataConnector xsi:type="dc:LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc" id="psdldap" ldapURL="ldap://ldap-ip" baseDN="ou=psd,dc=peninsula,dc=wednet,dc=edu" principal="CN=username,OU=Service,OU=Misc,OU=NOC,OU=PSD,DC=Peninsula,DC=Wednet,DC=edu" principalCredential="password" lowercaseAttributeNames="true" useStartTLS="false"> | |
<dc:FilterTemplate>(samaccountname=$requestContext.principalName)</dc:FilterTemplate> | |
<ReturnAttributes>givenname sn mail employeetype distinguishedname samaccountname department memberof</ReturnAttributes> | |
</resolver:DataConnector> | |
<resolver:AttributeDefinition id="login_id" xsi:type="ad:Simple" sourceAttributeID="samaccountname"> | |
<resolver:Dependency ref="psdldap" /> | |
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:login_id" /> | |
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="login_id" friendlyName="login_id" /> | |
</resolver:AttributeDefinition> | |
<resolver:AttributeDefinition id="user_id" xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad" > | |
<resolver:Dependency ref="psdldap" /> | |
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:user_id" /> | |
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="id" friendlyName="user_id" /> | |
<Script><![CDATA[ | |
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider); | |
if (user_id == null) { | |
user_id = new BasicAttribute("user_id"); | |
} | |
user_id.getValues().add("psd_" + samaccountname.getValues().get(0)); | |
]]></Script> | |
</resolver:AttributeDefinition> | |
<resolver:AttributeDefinition id="givenname" xsi:type="ad:Simple" | |
sourceAttributeID="givenname"> | |
<resolver:Dependency ref="psdldap" /> | |
<!-- no encoder needed --> | |
<resolver:AttributeEncoder | |
xsi:type="enc:SAML2String" | |
name="givenName" | |
friendlyName="givenName" /> | |
</resolver:AttributeDefinition> | |
<resolver:AttributeDefinition id="sn" xsi:type="ad:Simple" | |
sourceAttributeID="sn"> | |
<resolver:Dependency ref="psdldap" /> | |
<!-- no encoder needed --> | |
</resolver:AttributeDefinition> | |
<resolver:AttributeDefinition id="familyname" xsi:type="ad:Simple" | |
sourceAttributeID="sn"> | |
<resolver:Dependency ref="psdldap" /> | |
<!-- no encoder needed --> | |
<resolver:AttributeEncoder | |
xsi:type="enc:SAML2String" | |
name="familyName" | |
friendlyName="familyName" /> | |
</resolver:AttributeDefinition> | |
<resolver:AttributeDefinition id="username" xsi:type="ad:Simple" | |
sourceAttributeID="samaccountname"> | |
<resolver:Dependency ref="psdldap" /> | |
<!-- no encoder needed --> | |
<resolver:AttributeEncoder | |
xsi:type="enc:SAML2String" | |
name="urn:mace:dir:attribute-def:username"/> | |
</resolver:AttributeDefinition> | |
<resolver:AttributeDefinition id="homeroom-username" xsi:type="ad:Simple" | |
sourceAttributeID="samaccountname"> | |
<resolver:Dependency ref="psdldap" /> | |
<!-- no encoder needed --> | |
<resolver:AttributeEncoder | |
xsi:type="enc:SAML2String" | |
name="externalApplicationUserName"/> | |
</resolver:AttributeDefinition> | |
<resolver:AttributeDefinition id="uid" xsi:type="ad:Simple" | |
sourceAttributeID="samaccountname"> | |
<resolver:Dependency ref="psdldap" /> | |
<!-- no encoder needed --> | |
<resolver:AttributeEncoder | |
xsi:type="enc:SAML2String" | |
name="uid"/> | |
</resolver:AttributeDefinition> | |
<resolver:AttributeDefinition id="group" xsi:type="ad:Simple" | |
sourceAttributeID="memberof" > | |
<resolver:Dependency ref="psdldap" /> | |
<!-- no encoder needed --> | |
<resolver:AttributeEncoder | |
xsi:type="enc:SAML2String" | |
name="group" | |
friendlyName="group" /> | |
</resolver:AttributeDefinition> | |
<resolver:AttributeDefinition id="mail" xsi:type="ad:Simple" | |
sourceAttributeID="mail" > | |
<resolver:Dependency ref="psdldap" /> | |
<!-- no encoder needed --> | |
<resolver:AttributeEncoder | |
xsi:type="enc:SAML2String" | |
name="mail" | |
friendlyName="mail" /> | |
</resolver:AttributeDefinition> | |
<resolver:AttributeDefinition id="email" xsi:type="ad:Simple" | |
sourceAttributeID="mail" > | |
<resolver:Dependency ref="psdldap" /> | |
<!-- no encoder needed --> | |
<resolver:AttributeEncoder | |
xsi:type="enc:SAML2String" | |
name="email" | |
friendlyName="email" /> | |
</resolver:AttributeDefinition> | |
<resolver:AttributeDefinition id="mail" xsi:type="ad:Simple" | |
sourceAttributeID="mail" > | |
<resolver:Dependency ref="psdldap" /> | |
<!-- no encoder needed --> | |
<resolver:AttributeEncoder | |
xsi:type="enc:SAML2String" | |
name="mail" | |
friendlyName="mail" /> | |
</resolver:AttributeDefinition> | |
<resolver:AttributeDefinition xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="fullname"> | |
<!-- Dependency information would go here --> | |
<resolver:Dependency ref="givenname" /> | |
<resolver:Dependency ref="sn" /> | |
<resolver:AttributeEncoder | |
xsi:type="enc:SAML2String" | |
name="User.name"/> | |
<Script><![CDATA[ | |
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider); | |
if (fullname == null) { | |
fullname = new BasicAttribute("fullname"); | |
} | |
fullname.getValues().add(givenname.getValues().get(0) + " " + sn.getValues().get(0)); | |
]]></Script> | |
</resolver:AttributeDefinition> | |
<resolver:AttributeDefinition id="User.FirstName" xsi:type="ad:Simple" | |
sourceAttributeID="givenname"> | |
<resolver:Dependency ref="psdldap" /> | |
<!-- no encoder needed --> | |
<resolver:AttributeEncoder | |
xsi:type="enc:SAML2String" | |
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" | |
name="User.FirstName" friendlyName="User.FirstName" /> | |
</resolver:AttributeDefinition> | |
<resolver:AttributeDefinition id="User.LastName" xsi:type="ad:Simple" | |
sourceAttributeID="sn"> | |
<resolver:Dependency ref="psdldap" /> | |
<!-- no encoder needed --> | |
<resolver:AttributeEncoder | |
xsi:type="enc:SAML2String" | |
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" | |
name="User.LastName" friendlyName="User.LastName" /> | |
</resolver:AttributeDefinition> | |
<resolver:AttributeDefinition id="User.email" xsi:type="ad:Simple" | |
sourceAttributeID="mail" > | |
<resolver:Dependency ref="psdldap" /> | |
<!-- no encoder needed --> | |
<resolver:AttributeEncoder | |
xsi:type="enc:SAML2StringNameID" | |
xmlns="urn:mace:shibboleth:2.0:attribute:encoder" | |
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" | |
nameQualifier="https://psdts.freshdesk.com/login/saml" /> | |
<resolver:AttributeEncoder | |
xsi:type="enc:SAML2StringNameID" | |
xmlns="urn:mace:shibboleth:2.0:attribute:encoder" | |
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" | |
nameQualifier="https://api.schooldata.net/dev/access/SDS_PeninsulaTestSchoolDistrict/saml" /> | |
<resolver:AttributeEncoder | |
xsi:type="enc:SAML2StringNameID" | |
xmlns="urn:mace:shibboleth:2.0:attribute:encoder" | |
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" | |
nameQualifier="https://martinb.jamfcloud.com/saml/metadata" /> | |
<resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier" | |
xmlns="urn:mace:shibboleth:2.0:attribute:encoder" | |
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> | |
<resolver:AttributeEncoder | |
xsi:type="enc:SAML1String" | |
name="urn:mace:dir:attribute-def:email" /> | |
<resolver:AttributeEncoder | |
xsi:type="enc:SAML2String" | |
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" | |
name="User.email" friendlyName="User.email" /> | |
<resolver:AttributeEncoder | |
xsi:type="enc:SAML2StringNameID" | |
xmlns="urn:mace:shibboleth:2.0:attribute:encoder" | |
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> | |
</resolver:AttributeDefinition> | |
<resolver:AttributeDefinition id="User.Username" xsi:type="ad:Simple" | |
sourceAttributeID="sn"> | |
<resolver:Dependency ref="psdldap" /> | |
<!-- no encoder needed --> | |
<resolver:AttributeEncoder | |
xsi:type="enc:SAML2String" | |
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" | |
name="User.Username" friendlyName="User.Username" /> | |
</resolver:AttributeDefinition> | |
<resolver:AttributeDefinition id="department" xsi:type="ad:Simple" | |
sourceAttributeID="department"> | |
<resolver:Dependency ref="psdldap" /> | |
<!-- no encoder needed --> | |
<resolver:AttributeEncoder | |
xsi:type="enc:SAML2String" | |
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" | |
name="department" friendlyName="department" /> | |
</resolver:AttributeDefinition> | |
<resolver:AttributeDefinition xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="role"> | |
<!-- Dependency information would go here --> | |
<resolver:Dependency ref="uid" /> | |
<resolver:Dependency ref="psdldap" /> | |
<resolver:AttributeEncoder | |
xsi:type="enc:SAML2String" | |
name="role"/> | |
<Script><![CDATA[ | |
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider); | |
importPackage(Packages.org.slf4j); | |
logger = LoggerFactory.getLogger("LDP_PSD"); | |
if (role == null) { | |
role = new BasicAttribute("role"); | |
} | |
is_Staff = employeetype != null && employeetype.getValues().contains("Staff"); | |
logger.info("Name of testing were: " + uid.getValues().get(0)); | |
logger.info("Email of testing is: " + mail.getValues().get(0)); | |
logger.info("Last Name of testing is: " + sn.getValues().get(0)); | |
logger.info("LDAP of testing were: " + employeetype.getValues().get(0)); | |
if (is_Staff) { role.getValues().add("teacher"); }; | |
if (!is_Staff) { role.getValues().add("student"); }; | |
]]></Script> | |
</resolver:AttributeDefinition> | |
<resolver:AttributeDefinition xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="timestamp"> | |
<!-- Dependency information would go here --> | |
<resolver:AttributeEncoder | |
xsi:type="enc:SAML2String" | |
name="timestamp"/> | |
<Script><![CDATA[ | |
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider); | |
if (timestamp == null) { | |
timestamp = new BasicAttribute("timestamp"); | |
} | |
timestamp.getValues().add((new Date).getTime().toString()); | |
]]></Script> | |
</resolver:AttributeDefinition> | |
<!-- | |
This is an example of an attribute sourced from a data connector. | |
--> | |
<resolver:AttributeDefinition id="eduPersonAffiliation" xsi:type="ad:Scoped" scope="%{idp.scope}" sourceAttributeID="affiliation"> | |
<resolver:Dependency ref="staticAttributes" /> | |
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" /> | |
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonAffiliation" encodeType="false" /> | |
</resolver:AttributeDefinition> | |
<!-- ========================================== --> | |
<!-- Data Connectors --> | |
<!-- ========================================== --> | |
<resolver:DataConnector id="staticAttributes" xsi:type="dc:Static"> | |
<dc:Attribute id="affiliation"> | |
<dc:Value>member</dc:Value> | |
</dc:Attribute> | |
</resolver:DataConnector> | |
<resolver:PrincipalConnector xsi:type="pc:Transient" id="saml2Transient" nameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress" /> | |
</resolver:AttributeResolver> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment