SAML Authentication using LDAP groups

Cahill, Charles (GE Appliances) Charles.Cahill at ge.com
Tue Dec 1 16:29:23 EST 2015 

Thank you all for your input on this.  I was able to solve the problem by using configurations
on the Apache side SP.

Made the below changes in the shib.conf 
Require shib-attr displayname ${DISPLAYNAME}  did the trick.  Now, only users with a specific LDAP
Displayname can access my application.  I am feeding in the APPLICATION_ENDPOINT, 
PROTECTEDAPPROOT AND DISPLAYNAME as variables in docker that are fed into the Apache SP code
I have in github to create an Apache instance with the Shibboleth Service Provider installed.

<VirtualHost *:80>
  
        ProxyPass /Shibboleth.sso !      
	ProxyPass / ${APPLICATION_ENDPOINT}
        ProxyPassReverse /Shibboleth.sso !
	ProxyPassReverse / ${APPLICATION_ENDPOINT}
	RequestHeader set cn "%{cn}e"
	RequestHeader set firstname "%{firstname}e"
	RequestHeader set lastname "%{lastname}e"
	RequestHeader set email "%{email}e"
	RequestHeader set uid "%{uid}e"
	RequestHeader set displayname "%{displayname}e"

	<Location /Shibboleth.sso>
	  Satisfy Any
	  Allow from all
	</Location>

    	<Location /${PROTECTEDAPPROOT}>
    		AuthType shibboleth
    		ShibRequestSetting requireSession 1
    		Require shib-attr displayname ${DISPLAYNAME} 
	</Location>
</VirtualHost>

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Curry, Warren
Sent: Tuesday, December 01, 2015 2:44 PM
To: Shib Users
Subject: RE: SAML Authentication using LDAP groups

It would seem that you want to do authorization against groups. Not authentication with groups.  

Why not make the  LDAp groups an load an Attribute in you saml2 doc?     Tthis can then be used to determine authorization..  

Perhaps I am missing something ... 

whc

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cahill, Charles (GE Appliances)
Sent: Tuesday, December 01, 2015 10:59 AM
To: Shib Users <users at shibboleth.net>
Subject: RE: SAML Authentication using LDAP groups

I am also wondering, could this be handled on the Apache SP side in the conf file handling Location information?

-----Original Message-----
From: Cahill, Charles (GE Appliances)
Sent: Tuesday, December 01, 2015 10:24 AM
To: Shib Users
Subject: SAML Authentication using LDAP groups

Hey All:

	I am looking to do something I believe is unique here with Shibboleth and need some help to 
	Understand if it is possible.

	I need Shibboleth to do Authentication against LDAP groups.  The challenge is that LDAP groups
	contain DN's, not UID information, so the UID must first be gathered and the DN pulled out.	
	The groups branch must then be searched with that DN to see what groups the user is a member of.
	The authentication would then need to be done against that information.  We are doing something
	Similar with authorization and the code is below.  My question is, can scripts be used in the login.config
	to do something along these lines or are scripts not able to be used there.  I would think I need to use 
	requisite and required login modules to make this work as well maybe with some variables.

	Here is our authorization methodology for returning the displayname of a group as a header.  I need
	Not to return this header in some instances but to be able to do full authentication based on group 	membership.

		<!--ODSEE LDAP Groups Connector Configs-->
	<resolver:DataConnector id="slapd-xxxx-user-groups" xsi:type="dc:LDAPDirectory"
		ldapURL="ldaps://xxxxx  ldaps://xxxxx"
		principalCredential="xxxxx"
		principal="xxxxx"
		connectionStrategy="ACTIVE_PASSIVE"
		maxResultSize="50"
		mergeResults="true"
		baseDN="ou=xxxxxgroups,ou=groups,o=xx.com">
		<resolver:Dependency ref="slapd-xxx.xxx.xx.com" />
		<resolver:Dependency ref="gexxxuid" />
		<dc:FilterTemplate>
			<![CDATA[
			(&(gexxxxxunit=Appliances)(uniquemember=gexxxuid=$gexxxuid.get(0),ou=gexxx,o=xx.com))
			]]>
		</dc:FilterTemplate>
		<dc:ReturnAttributes>displayname</dc:ReturnAttributes>
		<dc:LDAPProperty name="java.naming.ldap.factory.socket" value="javax.net.ssl.SSLSocketFactory"/>
		<dc:ConnectionPool
			minPoolSize="1"
			maxPoolSize="8"
			blockWhenEmpty="true"
			blockWaitTime="PT5S"
			expirationTime="PT10M"/>
	</resolver:DataConnector>
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-- 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list