SAML Authentication using LDAP groups
Cahill, Charles (GE Appliances)
Charles.Cahill at ge.com
Tue Dec 1 10:58:31 EST 2015
I am also wondering, could this be handled on the Apache SP side in the conf file handling
From: Cahill, Charles (GE Appliances)
Sent: Tuesday, December 01, 2015 10:24 AM
To: Shib Users
Subject: SAML Authentication using LDAP groups
I am looking to do something I believe is unique here with Shibboleth and need some help to
Understand if it is possible.
I need Shibboleth to do Authentication against LDAP groups. The challenge is that LDAP groups
contain DN's, not UID information, so the UID must first be gathered and the DN pulled out.
The groups branch must then be searched with that DN to see what groups the user is a member of.
The authentication would then need to be done against that information. We are doing something
Similar with authorization and the code is below. My question is, can scripts be used in the login.config
to do something along these lines or are scripts not able to be used there. I would think I need to use
requisite and required login modules to make this work as well maybe with some variables.
Here is our authorization methodology for returning the displayname of a group as a header. I need
Not to return this header in some instances but to be able to do full authentication based on group membership.
<!--ODSEE LDAP Groups Connector Configs-->
<resolver:DataConnector id="slapd-xxxx-user-groups" xsi:type="dc:LDAPDirectory"
<resolver:Dependency ref="slapd-xxx.xxx.xx.com" />
<resolver:Dependency ref="gexxxuid" />
<dc:LDAPProperty name="java.naming.ldap.factory.socket" value="javax.net.ssl.SSLSocketFactory"/>
More information about the users