SAML Authentication using LDAP groups

Curry, Warren whcurry at ufl.edu
Tue Dec 1 14:43:33 EST 2015 

It would seem that you want to do authorization against groups. Not authentication with groups.  

Why not make the  LDAp groups an load an Attribute in you saml2 doc?     Tthis can then be used to determine authorization..  

Perhaps I am missing something ... 

whc

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cahill, Charles (GE Appliances)
Sent: Tuesday, December 01, 2015 10:59 AM
To: Shib Users <users at shibboleth.net>
Subject: RE: SAML Authentication using LDAP groups

I am also wondering, could this be handled on the Apache SP side in the conf file handling Location information?

-----Original Message-----
From: Cahill, Charles (GE Appliances)
Sent: Tuesday, December 01, 2015 10:24 AM
To: Shib Users
Subject: SAML Authentication using LDAP groups

Hey All:

	I am looking to do something I believe is unique here with Shibboleth and need some help to 
	Understand if it is possible.

	I need Shibboleth to do Authentication against LDAP groups.  The challenge is that LDAP groups
	contain DN's, not UID information, so the UID must first be gathered and the DN pulled out.	
	The groups branch must then be searched with that DN to see what groups the user is a member of.
	The authentication would then need to be done against that information.  We are doing something
	Similar with authorization and the code is below.  My question is, can scripts be used in the login.config
	to do something along these lines or are scripts not able to be used there.  I would think I need to use 
	requisite and required login modules to make this work as well maybe with some variables.

	Here is our authorization methodology for returning the displayname of a group as a header.  I need
	Not to return this header in some instances but to be able to do full authentication based on group 	membership.

		<!--ODSEE LDAP Groups Connector Configs-->
	<resolver:DataConnector id="slapd-xxxx-user-groups" xsi:type="dc:LDAPDirectory"
		ldapURL="ldaps://xxxxx  ldaps://xxxxx"
		principalCredential="xxxxx"
		principal="xxxxx"
		connectionStrategy="ACTIVE_PASSIVE"
		maxResultSize="50"
		mergeResults="true"
		baseDN="ou=xxxxxgroups,ou=groups,o=xx.com">
		<resolver:Dependency ref="slapd-xxx.xxx.xx.com" />
		<resolver:Dependency ref="gexxxuid" />
		<dc:FilterTemplate>
			<![CDATA[
			(&(gexxxxxunit=Appliances)(uniquemember=gexxxuid=$gexxxuid.get(0),ou=gexxx,o=xx.com))
			]]>
		</dc:FilterTemplate>
		<dc:ReturnAttributes>displayname</dc:ReturnAttributes>
		<dc:LDAPProperty name="java.naming.ldap.factory.socket" value="javax.net.ssl.SSLSocketFactory"/>
		<dc:ConnectionPool
			minPoolSize="1"
			maxPoolSize="8"
			blockWhenEmpty="true"
			blockWaitTime="PT5S"
			expirationTime="PT10M"/>
	</resolver:DataConnector>
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list