| Include Page | ||||
|---|---|---|---|---|
|
Institutions may want to release group information to Shibboleth Service Providers in a secure way when a user is accessing a site. Here are some ways to do that. You may also want to refer to see the page on Grouper and Shibboleth and Grouper Integration.
Sending the isMemberOf attribute
...
| Code Block |
|---|
<resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
ldapURL="ldaps://ldap.example.org" baseDN="dc=example,dc=org" principal="cn=directory manager"
principalCredential="password" poolInitialSize="3" poolMaxIdleSize="3">
<FilterTemplate>
<![CDATA[
(uid=$requestContext.principalName)
]]>
</FilterTemplate>
</resolver:DataConnector>
<resolver:AttributeDefinition id="isMemberOf" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="isMemberOf">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:isMemberOfoid:1.3.6.1.4.1.5923.1.5.1.1" />
<resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" friendlyName="isMemberOf" />
</resolver:AttributeDefinition>
|
...
| Code Block |
|---|
<resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
ldapURL="ldaps://ldap.example.org" baseDN="dc=example,dc=org" principal="cn=directory manager"
principalCredential="password" poolInitialSize="3" poolMaxIdleSize="3"
maxResultSize="500" mergeResults="true" >
<FilterTemplate>
<![CDATA[
(member=uid=${requestContext.principalName})
]]>
</FilterTemplate>
<ReturnAttributes>cn</ReturnAttributes>
</resolver:DataConnector>
<resolver:AttributeDefinition id="isMemberOf" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="cn">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:isMemberOfoid:1.3.6.1.4.1.5923.1.5.1.1" />
<resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" friendlyName="isMemberOf" />
</resolver:AttributeDefinition>
|
...
Suppose you want to release the standard library entitlement, based on membershib membership in one or more groups.
| Code Block |
|---|
<resolver:AttributeDefinition id="memberships" xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="isMemberOf">
<resolver:Dependency ref="myLDAP" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="entitlement_lib" xsi:type="Script"
xmlns="urn:mace:shibboleth:2.0:resolver:ad">
<resolver:Dependency ref="memberships" />
<resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
<resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" />
<Script>
<![CDATA[
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
entitlement = new BasicAttribute("entitlement_lib");
var ngroup = memberships.getValues().size();
for (var i=0; i<ngroup; i++) {
var group = memberships.getValues().get(i);
if (group.equals("uw:student") || group.equals("uw:employee") || group.equals("uw:lib:users") ) {
entitlement.getValues().add('urn:mace:dir:entitlement:common-lib-terms');
break;
}
}
]]>
</Script>
</resolver:AttributeDefinition>
|
...