odyssey4me/attribute-map.xml

## attribute-map.xml
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

    <Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" id="upn"/>
    <Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" id="givenname"/>
    <Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" id="surname"/>
    <Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" id="emailaddress"/>
    <Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" id="name"/>
    <Attribute name="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" id="primarysid"/>
    <Attribute name="http://schemas.xmlsoap.org/claims/Group" id="Group"/>

</Attributes>

## example-session-info
A Shibboleth session shows the following attributes available from the IdP:

Attributes
Group: Domain Users
emailaddress: superego@testenvironment.local
givenname: Super
primarysid: S-1-5-21-2917001131-1385516553-613696311-1108
surname: Ego
upn: superego@testenvironment.local

## keystone-rules.yml
[
    {
        "local": [
            {
                "user": {
                    "id": "{0}",
                    "name": "{1}_{2}",
                     "email": "{3}"
                }
            }
        ],
        "remote": [
            { "type": "primarysid" },
            { "type": "givenname" },
            { "type": "surname" },
            { "type": "upn" }
        ]
    },
    {
        "local": [
            {
                "group": {
                    "name": "fedgroup",
                    "domain": { "name": "Default" }
                }
            }
        ],
        "remote": [
            {
                "type": "Group",
                "any_one_of": [ "Domain Users" ]
            }
        ]
    }
]

## shibboleth.xml
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
          xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
          xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
          xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
          xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
          clockSkew="180">

    <!-- The OutOfProcess section contains properties affecting the shibd daemon. -->
    <OutOfProcess logger="/etc/shibboleth/shibd.logger">
        <Extensions>
            <Library path="adfs.so" fatal="true"/>
        </Extensions>
    </OutOfProcess>

    <!-- The InProcess section conrains settings affecting web server modules/filters. -->
    <InProcess logger="/etc/shibboleth/native.logger">
        <Extensions>
            <Library path="adfs-lite.so" fatal="true"/>
       </Extensions>
       <ISAPI normalizeRequest="true">
            <!--
            Maps IIS Instance ID values to the host scheme/name/port/sslport. The name is
            required so that the proper <Host> in the request map above is found without
            having to cover every possible DNS/IP combination the user might enter.
            The port and scheme can usually be omitted, so the HTTP request's port and
            scheme will be used.
            -->
            <Site id="1" name="my_sp_dns_or_ip:5000"/>
        </ISAPI>
    </InProcess>

    <!-- The entityID is the name by which your IdP will know your SP. -->
    <ApplicationDefaults entityID="https://my_sp_dns_or_ip:5000/shibboleth">

        <!-- You should use secure cookies if at all possible.  See cookieProps in this Wiki article. -->
        <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions -->
        <Sessions lifetime="3600"
                  timeout="1800"
                  relayState="ss:mem"
                  checkAddress="false"
                  handlerSSL="true"
                  cookieProps="https">

            <!-- Triggers a login request directly to the IdP. -->
            <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO -->
            <SSO ECP="true" entityID="http://my_idp_dns_or_ip/adfs/services/trust">
                SAML2 SAML1 ADFS
            </SSO>

            <!-- SAML and local-only logout. -->
            <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceLogout -->
            <Logout asynchronous="false">
                SAML2 ADFS Local
            </Logout>

            <!--
                Handlers allow you to interact with the SP and gather more information.
                Attribute values received by the SP through SAML will be visible at:
                https://my_sp_dns_or_ip:5000/Shibboleth.sso/Session
            -->

            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
            <Handler type="MetadataGenerator"
                     Location="/Metadata"
                     signing="false"/>

            <!-- Status reporting service. -->
            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>

            <!-- Session diagnostic service. -->
            <Handler type="Session" Location="/Session" showAttributeValues="true"/>

            <!-- JSON feed of discovery information. -->
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
        </Sessions>

        <!--
        Allows overriding of error template information/filenames. You can
        also add attributes with values that can be plugged into the templates.
        -->
        <Errors supportContact="root@localhost"
                helpLocation="/about.html"
                styleSheet="/shibboleth-sp/main.css"/>

        <!--
        Loads and trusts a list of metadata files which describes
        the trusted IdP's and how to communicate with them.
        -->
        <MetadataProvider type="XML"
                          uri="https://my_idp_dns_or_ip/FederationMetadata/2007-06/FederationMetadata.xml"
                          backingFilePath="metadata-adfs-idp.xml"
                          reloadInterval="360" />

        <!-- Map to extract attributes from SAML assertions. -->
        <AttributeExtractor type="XML"
                            validate="true"
                            path="attribute-map.xml"/>

        <!-- Use a SAML query if no attributes are supplied during SSO. -->
        <AttributeResolver type="Query"
                           subjectMatch="true"/>

        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
        <AttributeFilter type="XML"
                         validate="true"
                         path="attribute-policy.xml"/>

        <!-- Your SP generated these credentials. They're used to talk to IdP's. -->
        <CredentialResolver type="File"
                            key="sp-key.pem"
                            certificate="sp-cert.pem"/>

    </ApplicationDefaults>

    <!-- Policies that determine how to process and authenticate runtime messages. -->
    <SecurityPolicyProvider type="XML"
                            validate="true"
                            path="security-policy.xml"/>

    <!-- Low-level configuration about protocols and bindings available for use. -->
    <ProtocolProvider type="XML"
                      validate="true"
                      reloadChanges="false"
                      path="protocols.xml"/>

</SPConfig>
	<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

	<Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" id="upn"/>
	<Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" id="givenname"/>
	<Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" id="surname"/>
	<Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" id="emailaddress"/>
	<Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" id="name"/>
	<Attribute name="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" id="primarysid"/>
	<Attribute name="http://schemas.xmlsoap.org/claims/Group" id="Group"/>

	</Attributes>
	A Shibboleth session shows the following attributes available from the IdP:

	Attributes
	Group: Domain Users
	emailaddress: superego@testenvironment.local
	givenname: Super
	primarysid: S-1-5-21-2917001131-1385516553-613696311-1108
	surname: Ego
	upn: superego@testenvironment.local
	[
	{
	"local": [
	{
	"user": {
	"id": "{0}",
	"name": "{1}_{2}",
	"email": "{3}"
	}
	}
	],
	"remote": [
	{ "type": "primarysid" },
	{ "type": "givenname" },
	{ "type": "surname" },
	{ "type": "upn" }
	]
	},
	{
	"local": [
	{
	"group": {
	"name": "fedgroup",
	"domain": { "name": "Default" }
	}
	}
	],
	"remote": [
	{
	"type": "Group",
	"any_one_of": [ "Domain Users" ]
	}
	]
	}
	]
	<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
	xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
	xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
	clockSkew="180">

	<!-- The OutOfProcess section contains properties affecting the shibd daemon. -->
	<OutOfProcess logger="/etc/shibboleth/shibd.logger">
	<Extensions>
	<Library path="adfs.so" fatal="true"/>
	</Extensions>
	</OutOfProcess>

	<!-- The InProcess section conrains settings affecting web server modules/filters. -->
	<InProcess logger="/etc/shibboleth/native.logger">
	<Extensions>
	<Library path="adfs-lite.so" fatal="true"/>
	</Extensions>
	<ISAPI normalizeRequest="true">
	<!--
	Maps IIS Instance ID values to the host scheme/name/port/sslport. The name is
	required so that the proper <Host> in the request map above is found without
	having to cover every possible DNS/IP combination the user might enter.
	The port and scheme can usually be omitted, so the HTTP request's port and
	scheme will be used.
	-->
	<Site id="1" name="my_sp_dns_or_ip:5000"/>
	</ISAPI>
	</InProcess>

	<!-- The entityID is the name by which your IdP will know your SP. -->
	<ApplicationDefaults entityID="https://my_sp_dns_or_ip:5000/shibboleth">

	<!-- You should use secure cookies if at all possible. See cookieProps in this Wiki article. -->
	<!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions -->
	<Sessions lifetime="3600"
	timeout="1800"
	relayState="ss:mem"
	checkAddress="false"
	handlerSSL="true"
	cookieProps="https">

	<!-- Triggers a login request directly to the IdP. -->
	<!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO -->
	<SSO ECP="true" entityID="http://my_idp_dns_or_ip/adfs/services/trust">
	SAML2 SAML1 ADFS
	</SSO>

	<!-- SAML and local-only logout. -->
	<!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceLogout -->
	<Logout asynchronous="false">
	SAML2 ADFS Local
	</Logout>

	<!--
	Handlers allow you to interact with the SP and gather more information.
	Attribute values received by the SP through SAML will be visible at:
	https://my_sp_dns_or_ip:5000/Shibboleth.sso/Session
	-->

	<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
	<Handler type="MetadataGenerator"
	Location="/Metadata"
	signing="false"/>

	<!-- Status reporting service. -->
	<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>

	<!-- Session diagnostic service. -->
	<Handler type="Session" Location="/Session" showAttributeValues="true"/>

	<!-- JSON feed of discovery information. -->
	<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
	</Sessions>

	<!--
	Allows overriding of error template information/filenames. You can
	also add attributes with values that can be plugged into the templates.
	-->
	<Errors supportContact="root@localhost"
	helpLocation="/about.html"
	styleSheet="/shibboleth-sp/main.css"/>

	<!--
	Loads and trusts a list of metadata files which describes
	the trusted IdP's and how to communicate with them.
	-->
	<MetadataProvider type="XML"
	uri="https://my_idp_dns_or_ip/FederationMetadata/2007-06/FederationMetadata.xml"
	backingFilePath="metadata-adfs-idp.xml"
	reloadInterval="360" />

	<!-- Map to extract attributes from SAML assertions. -->
	<AttributeExtractor type="XML"
	validate="true"
	path="attribute-map.xml"/>

	<!-- Use a SAML query if no attributes are supplied during SSO. -->
	<AttributeResolver type="Query"
	subjectMatch="true"/>

	<!-- Default filtering policy for recognized attributes, lets other data pass. -->
	<AttributeFilter type="XML"
	validate="true"
	path="attribute-policy.xml"/>

	<!-- Your SP generated these credentials. They're used to talk to IdP's. -->
	<CredentialResolver type="File"
	key="sp-key.pem"
	certificate="sp-cert.pem"/>

	</ApplicationDefaults>

	<!-- Policies that determine how to process and authenticate runtime messages. -->
	<SecurityPolicyProvider type="XML"
	validate="true"
	path="security-policy.xml"/>

	<!-- Low-level configuration about protocols and bindings available for use. -->
	<ProtocolProvider type="XML"
	validate="true"
	reloadChanges="false"
	path="protocols.xml"/>

	</SPConfig>