SAML Authentication using LDAP groups
Curry, Warren
whcurry at ufl.edu
Tue Dec 1 23:27:42 EST 2015
+1. Not sure I understand either...
Sent from my Verizon Wireless 4G LTE DROID
On Dec 1, 2015 5:14 PM, "Bellina, Brendan" <bbellina at ucla.edu> wrote:
Glad you were able to get the behavior you wanted, but I¹m left a bit
confused. This is checking against the user¹s display name attribute
value, not the display name of a group the user is in, right? I thought
you were trying to determine what groups the user was in.
Regards,
Brendan Bellina
Identity Mgmt. Architect, IT Services, UCLA
On 12/1/15, 1:29 PM, "users on behalf of Cahill, Charles (GE Appliances)"
<users-bounces at shibboleth.net on behalf of Charles.Cahill at ge.com> wrote:
>Thank you all for your input on this. I was able to solve the problem by
>using configurations
>on the Apache side SP.
>
>Made the below changes in the shib.conf
>Require shib-attr displayname ${DISPLAYNAME} did the trick. Now, only
>users with a specific LDAP
>Displayname can access my application. I am feeding in the
>APPLICATION_ENDPOINT,
>PROTECTEDAPPROOT AND DISPLAYNAME as variables in docker that are fed into
>the Apache SP code
>I have in github to create an Apache instance with the Shibboleth Service
>Provider installed.
>
><VirtualHost *:80>
>
> ProxyPass /Shibboleth.sso !
> ProxyPass / ${APPLICATION_ENDPOINT}
> ProxyPassReverse /Shibboleth.sso !
> ProxyPassReverse / ${APPLICATION_ENDPOINT}
> RequestHeader set cn "%{cn}e"
> RequestHeader set firstname "%{firstname}e"
> RequestHeader set lastname "%{lastname}e"
> RequestHeader set email "%{email}e"
> RequestHeader set uid "%{uid}e"
> RequestHeader set displayname "%{displayname}e"
>
> <Location /Shibboleth.sso>
> Satisfy Any
> Allow from all
> </Location>
>
> <Location /${PROTECTEDAPPROOT}>
> AuthType shibboleth
> ShibRequestSetting requireSession 1
> Require shib-attr displayname ${DISPLAYNAME}
> </Location>
></VirtualHost>
>
>-----Original Message-----
>From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Curry,
>Warren
>Sent: Tuesday, December 01, 2015 2:44 PM
>To: Shib Users
>Subject: RE: SAML Authentication using LDAP groups
>
>It would seem that you want to do authorization against groups. Not
>authentication with groups.
>
>Why not make the LDAp groups an load an Attribute in you saml2 doc?
>Tthis can then be used to determine authorization..
>
>Perhaps I am missing something ...
>
>whc
>
>-----Original Message-----
>From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cahill,
>Charles (GE Appliances)
>Sent: Tuesday, December 01, 2015 10:59 AM
>To: Shib Users <users at shibboleth.net>
>Subject: RE: SAML Authentication using LDAP groups
>
>I am also wondering, could this be handled on the Apache SP side in the
>conf file handling Location information?
>
>-----Original Message-----
>From: Cahill, Charles (GE Appliances)
>Sent: Tuesday, December 01, 2015 10:24 AM
>To: Shib Users
>Subject: SAML Authentication using LDAP groups
>
>Hey All:
>
> I am looking to do something I believe is unique here with Shibboleth
>and need some help to
> Understand if it is possible.
>
> I need Shibboleth to do Authentication against LDAP groups. The
>challenge is that LDAP groups
> contain DN's, not UID information, so the UID must first be gathered and
>the DN pulled out.
> The groups branch must then be searched with that DN to see what groups
>the user is a member of.
> The authentication would then need to be done against that information.
>We are doing something
> Similar with authorization and the code is below. My question is, can
>scripts be used in the login.config
> to do something along these lines or are scripts not able to be used
>there. I would think I need to use
> requisite and required login modules to make this work as well maybe
>with some variables.
>
> Here is our authorization methodology for returning the displayname of a
>group as a header. I need
> Not to return this header in some instances but to be able to do full
>authentication based on group membership.
>
> <!--ODSEE LDAP Groups Connector Configs-->
> <resolver:DataConnector id="slapd-xxxx-user-groups"
>xsi:type="dc:LDAPDirectory"
> ldapURL="ldaps://xxxxx ldaps://xxxxx"
> principalCredential="xxxxx"
> principal="xxxxx"
> connectionStrategy="ACTIVE_PASSIVE"
> maxResultSize="50"
> mergeResults="true"
> baseDN="ou=xxxxxgroups,ou=groups,o=xx.com">
> <resolver:Dependency ref="slapd-xxx.xxx.xx.com" />
> <resolver:Dependency ref="gexxxuid" />
> <dc:FilterTemplate>
> <![CDATA[
> (&(gexxxxxunit=Appliances)(uniquemember=gexxxuid=$gexxxuid.get(0),ou=ge
>xxx,o=xx.com))
> ]]>
> </dc:FilterTemplate>
> <dc:ReturnAttributes>displayname</dc:ReturnAttributes>
> <dc:LDAPProperty name="java.naming.ldap.factory.socket"
>value="javax.net.ssl.SSLSocketFactory"/>
> <dc:ConnectionPool
> minPoolSize="1"
> maxPoolSize="8"
> blockWhenEmpty="true"
> blockWaitTime="PT5S"
> expirationTime="PT10M"/>
> </resolver:DataConnector>
>--
>To unsubscribe from this list send an email to
>users-unsubscribe at shibboleth.net
>--
>To unsubscribe from this list send an email to
>users-unsubscribe at shibboleth.net
>--
>To unsubscribe from this list send an email to
>users-unsubscribe at shibboleth.net
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20151202/d48f4257/attachment-0001.html>
More information about the users
mailing list