namedID
Hong Ye
hy93 at cornell.edu
Fri May 23 17:54:07 EDT 2014
Nate,
Thank you for your reply. To support webex, our IDP release a nameID. It currently works fine for webex. I'm just curious how webex get the value of this nameID? I have no idea how to define attribute mapping for nameID in SP? Could you give me an example?
In attribute-filter.xml we
<AttributeFilterPolicy id="WEBEX">
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="http://www.webex.com" />
<AttributeRule attributeID="webexID">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
<AttributeRule attributeID="transientId">
<DenyValueRule xsi:type="basic:ANY" />
</AttributeRule>
<AttributeRule attributeID="firstname">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
<AttributeRule attributeID="lastname">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
<AttributeRule attributeID="WEBEXemail">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
In attribute-resolver.xml, we populate webexID to be the value of Uid if user is in certain group
<resolver:AttributeDefinition id="webexID" xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="uid">
<resolver:Dependency ref="myAD" />
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" />
<Script><![CDATA[
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
// Create attribute to be returned from definition
webexID = new BasicAttribute("webexID");
j=0;
// If the user has group membership
if (typeof memberOf != "undefined" && memberOf != null ){
// Then go through each group membership and see if we can find the CIT-webex-enterprise-users
for ( i = 0; memberOf != null && i < memberOf.getValues().size(); i++ ){
value = memberOf.getValues().get(i);
if (value.indexOf("webex-users,") > 0 || value.indexOf("webex-enterprise,") > 0){
webexID.getValues().add(uid.getValues().get(0));
j=1;
}
}
}
if (j == 0) {
webexID.getValues().add("");
}
]]></Script>
</resolver:AttributeDefinition>
Thanks a lot,
Hong
On May 23, 2014, at 4:41 PM, Nate Klingenstein <ndk at internet2.edu>
wrote:
> Hong,
>
> You will need to have some attribute mapping available for the inbound NameID, and that will be different for different kinds of NameID's. There is no general answer because of that. Once mapped, the NameID is available like any other attribute.
>
> https://wiki.shibboleth.net/confluence/display/SHIB2/NameIDAttributes
>
> Here's the documentation on mapping it:
>
> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeDecoder#NativeSPAttributeDecoder-NameIDAttributeDecoder
>
> If you have a more specific question we can give you a more specific answer.
>
> Thanks,
> Nate.
>
> On May 23, 2014, at 1:55 PM, Hong Ye <hy93 at cornell.edu>
> wrote:
>
>> Hi,
>>
>> I'm new to Shibboleth SP. From Idp process log, I saw NameID was sent back in saml2 assertion's subject for my SP. But how can my SP get and use the nameID that was sent back from IDP? Is there any configuration need to be done in SP?
>>
>> Thanks,
>>
>> Hong
>>
>> --
>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list