SAML Authentication using LDAP groups

Cahill, Charles (GE Appliances) Charles.Cahill at ge.com
Tue Dec 1 10:58:31 EST 2015 

I am also wondering, could this be handled on the Apache SP side in the conf file handling
Location information?

-----Original Message-----
From: Cahill, Charles (GE Appliances) 
Sent: Tuesday, December 01, 2015 10:24 AM
To: Shib Users
Subject: SAML Authentication using LDAP groups

Hey All:

	I am looking to do something I believe is unique here with Shibboleth and need some help to 
	Understand if it is possible.

	I need Shibboleth to do Authentication against LDAP groups.  The challenge is that LDAP groups
	contain DN's, not UID information, so the UID must first be gathered and the DN pulled out.	
	The groups branch must then be searched with that DN to see what groups the user is a member of.
	The authentication would then need to be done against that information.  We are doing something
	Similar with authorization and the code is below.  My question is, can scripts be used in the login.config
	to do something along these lines or are scripts not able to be used there.  I would think I need to use 
	requisite and required login modules to make this work as well maybe with some variables.

	Here is our authorization methodology for returning the displayname of a group as a header.  I need
	Not to return this header in some instances but to be able to do full authentication based on group 	membership.

		<!--ODSEE LDAP Groups Connector Configs-->
	<resolver:DataConnector id="slapd-xxxx-user-groups" xsi:type="dc:LDAPDirectory"
		ldapURL="ldaps://xxxxx  ldaps://xxxxx"
		principalCredential="xxxxx"
		principal="xxxxx"
		connectionStrategy="ACTIVE_PASSIVE"
		maxResultSize="50"
		mergeResults="true"
		baseDN="ou=xxxxxgroups,ou=groups,o=xx.com">
		<resolver:Dependency ref="slapd-xxx.xxx.xx.com" />
		<resolver:Dependency ref="gexxxuid" />
		<dc:FilterTemplate>
			<![CDATA[
			(&(gexxxxxunit=Appliances)(uniquemember=gexxxuid=$gexxxuid.get(0),ou=gexxx,o=xx.com))
			]]>
		</dc:FilterTemplate>
		<dc:ReturnAttributes>displayname</dc:ReturnAttributes>
		<dc:LDAPProperty name="java.naming.ldap.factory.socket" value="javax.net.ssl.SSLSocketFactory"/>
		<dc:ConnectionPool
			minPoolSize="1"
			maxPoolSize="8"
			blockWhenEmpty="true"
			blockWaitTime="PT5S"
			expirationTime="PT10M"/>
	</resolver:DataConnector>

More information about the users mailing list