Include Page | ||||
---|---|---|---|---|
|
Institutions may want to release group information to Shibboleth Service Providers in a secure way when a user is accessing a site. Here are some ways to do that. You may also want to see the page on Grouper and Shibboleth Integration.
Sending the isMemberOf attribute
...
Code Block |
---|
<resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc" ldapURL="ldaps://ldap.example.org" baseDN="dc=example,dc=org" principal="cn=directory manager" principalCredential="password" poolInitialSize="3" poolMaxIdleSize="3"> <FilterTemplate> <![CDATA[ (uid=$requestContext.principalName) ]]> </FilterTemplate> </resolver:DataConnector> <resolver:AttributeDefinition id="isMemberOf" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="isMemberOf"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:isMemberOfoid:1.3.6.1.4.1.5923.1.5.1.1" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" friendlyName="isMemberOf" /> </resolver:AttributeDefinition> |
...
Code Block |
---|
<resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc" ldapURL="ldaps://ldap.example.org" baseDN="dc=example,dc=org" principal="cn=directory manager" principalCredential="password" poolInitialSize="3" poolMaxIdleSize="3" maxResultSize="500" mergeResults="true" > <FilterTemplate> <![CDATA[ (member=uid=${requestContext.principalName}) ]]> </FilterTemplate> <ReturnAttributes>cn</ReturnAttributes> </resolver:DataConnector> <resolver:AttributeDefinition id="isMemberOf" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="cn"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:isMemberOfoid:1.3.6.1.4.1.5923.1.5.1.1" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" friendlyName="isMemberOf" /> </resolver:AttributeDefinition> |
...
Suppose you want to release the standard library entitlement, based on membershib membership in one or more groups.
Code Block |
---|
<resolver:AttributeDefinition id="memberships" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="isMemberOf"> <resolver:Dependency ref="myLDAP" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="entitlement_lib" xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad"> <resolver:Dependency ref="memberships" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:eduPersonEntitlement" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" /> <Script> <![CDATA[ importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider); entitlement = new BasicAttribute("entitlement_lib"); var ngroup = memberships.getValues().size(); for (var i=0; i<ngroup; i++) { var group = memberships.getValues().get(i); if (group.equals("uw:student") || group.equals("uw:employee") || group.equals("uw:lib:users") ) { entitlement.getValues().add('urn:mace:dir:entitlement:common-lib-terms'); break; } } ]]> </Script> </resolver:AttributeDefinition> |
...