SAML Authentication using LDAP groups

Cahill, Charles (GE Appliances) Charles.Cahill at ge.com
Wed Dec 2 08:46:10 EST 2015 

Let me reiterate here.

My current IDP configuration will Authenticate you against Active Directory. (login.config)

I then have 3 connectors in my IDP attribute-resolver.xml config for gathering attributes.

1 that connects to LDAP to return when needed specific attributes. (ge specific attributes, worker branch)
1 that connects to LDAP for group membership retrieval ( groups branch)
1 that connects to Active Directory for basic attributes like cn, uid, firstname, lastname.

One you have authenticated against AD, you have gathered the login users "uid".
This uid is then used to search the first connector, which will gather the users specific "dn" or distinguished name.
That distinguished name is what then is searched against the second groups connector to see what groups a
person is part of.  I then send all of those displaynames (i.e. name of the group like @Appliances_group_finance
back to the user as a header.  

I was able to then configure the Apache Service Provider Shib.conf to limit who can access the website by using 
this location block.  Keep in mind that the Protected web root is being fed is a variable and so is the group
"displayname".   I originally could not figure out how to make this work, so I was thinking I needed to
use groups to authenticate. In the end I am using them to authorize.   Hope this helps.

>    	<Location /${PROTECTEDAPPROOT}>
>    		AuthType shibboleth
>    		ShibRequestSetting requireSession 1
>    		Require shib-attr displayname ${DISPLAYNAME}
>	</Location>



Charles Cahill
Senior Technologist - Authentication/Authorization
TAS App Svcs, SSO/LDAP/Web Application Support
GE Appliances & Lighting

GE Appliance Park
Louisville, Ky/40225

GE imagination at work


-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Bellina, Brendan
Sent: Tuesday, December 01, 2015 5:15 PM
To: Shib Users
Subject: Re: SAML Authentication using LDAP groups

Glad you were able to get the behavior you wanted, but I¹m left a bit confused. This is checking against the user¹s display name attribute value, not the display name of a group the user is in, right?  I thought you were trying to determine what groups the user was in.

Regards,

Brendan Bellina
Identity Mgmt. Architect, IT Services, UCLA



On 12/1/15, 1:29 PM, "users on behalf of Cahill, Charles (GE Appliances)"
<users-bounces at shibboleth.net on behalf of Charles.Cahill at ge.com> wrote:

>Thank you all for your input on this.  I was able to solve the problem 
>by using configurations on the Apache side SP.
>
>Made the below changes in the shib.conf Require shib-attr displayname 
>${DISPLAYNAME}  did the trick.  Now, only users with a specific LDAP 
>Displayname can access my application.  I am feeding in the 
>APPLICATION_ENDPOINT, PROTECTEDAPPROOT AND DISPLAYNAME as variables in 
>docker that are fed into the Apache SP code I have in github to create 
>an Apache instance with the Shibboleth Service Provider installed.
>
><VirtualHost *:80>
>  
>        ProxyPass /Shibboleth.sso !
>	ProxyPass / ${APPLICATION_ENDPOINT}
>        ProxyPassReverse /Shibboleth.sso !
>	ProxyPassReverse / ${APPLICATION_ENDPOINT}
>	RequestHeader set cn "%{cn}e"
>	RequestHeader set firstname "%{firstname}e"
>	RequestHeader set lastname "%{lastname}e"
>	RequestHeader set email "%{email}e"
>	RequestHeader set uid "%{uid}e"
>	RequestHeader set displayname "%{displayname}e"
>
>	<Location /Shibboleth.sso>
>	  Satisfy Any
>	  Allow from all
>	</Location>
>
>    	<Location /${PROTECTEDAPPROOT}>
>    		AuthType shibboleth
>    		ShibRequestSetting requireSession 1
>    		Require shib-attr displayname ${DISPLAYNAME}
>	</Location>
></VirtualHost>
>
>-----Original Message-----
>From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Curry, 
>Warren
>Sent: Tuesday, December 01, 2015 2:44 PM
>To: Shib Users
>Subject: RE: SAML Authentication using LDAP groups
>
>It would seem that you want to do authorization against groups. Not 
>authentication with groups.
>
>Why not make the  LDAp groups an load an Attribute in you saml2 doc?
>Tthis can then be used to determine authorization..
>
>Perhaps I am missing something ...
>
>whc
>
>-----Original Message-----
>From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cahill, 
>Charles (GE Appliances)
>Sent: Tuesday, December 01, 2015 10:59 AM
>To: Shib Users <users at shibboleth.net>
>Subject: RE: SAML Authentication using LDAP groups
>
>I am also wondering, could this be handled on the Apache SP side in the 
>conf file handling Location information?
>
>-----Original Message-----
>From: Cahill, Charles (GE Appliances)
>Sent: Tuesday, December 01, 2015 10:24 AM
>To: Shib Users
>Subject: SAML Authentication using LDAP groups
>
>Hey All:
>
>	I am looking to do something I believe is unique here with Shibboleth 
>and need some help to
>	Understand if it is possible.
>
>	I need Shibboleth to do Authentication against LDAP groups.  The 
>challenge is that LDAP groups
>	contain DN's, not UID information, so the UID must first be gathered and
>the DN pulled out.	
>	The groups branch must then be searched with that DN to see what 
>groups the user is a member of.
>	The authentication would then need to be done against that information.
>We are doing something
>	Similar with authorization and the code is below.  My question is, can 
>scripts be used in the login.config
>	to do something along these lines or are scripts not able to be used 
>there.  I would think I need to use
>	requisite and required login modules to make this work as well maybe 
>with some variables.
>
>	Here is our authorization methodology for returning the displayname of 
>a group as a header.  I need
>	Not to return this header in some instances but to be able to do full
>authentication based on group 	membership.
>
>		<!--ODSEE LDAP Groups Connector Configs-->
>	<resolver:DataConnector id="slapd-xxxx-user-groups"
>xsi:type="dc:LDAPDirectory"
>		ldapURL="ldaps://xxxxx  ldaps://xxxxx"
>		principalCredential="xxxxx"
>		principal="xxxxx"
>		connectionStrategy="ACTIVE_PASSIVE"
>		maxResultSize="50"
>		mergeResults="true"
>		baseDN="ou=xxxxxgroups,ou=groups,o=xx.com">
>		<resolver:Dependency ref="slapd-xxx.xxx.xx.com" />
>		<resolver:Dependency ref="gexxxuid" />
>		<dc:FilterTemplate>
>			<![CDATA[
>			
>(&(gexxxxxunit=Appliances)(uniquemember=gexxxuid=$gexxxuid.get(0),ou=ge
>xxx,o=xx.com))
>			]]>
>		</dc:FilterTemplate>
>		<dc:ReturnAttributes>displayname</dc:ReturnAttributes>
>		<dc:LDAPProperty name="java.naming.ldap.factory.socket"
>value="javax.net.ssl.SSLSocketFactory"/>
>		<dc:ConnectionPool
>			minPoolSize="1"
>			maxPoolSize="8"
>			blockWhenEmpty="true"
>			blockWaitTime="PT5S"
>			expirationTime="PT10M"/>
>	</resolver:DataConnector>
>--
>To unsubscribe from this list send an email to 
>users-unsubscribe at shibboleth.net
>--
>To unsubscribe from this list send an email to 
>users-unsubscribe at shibboleth.net
>--
>To unsubscribe from this list send an email to 
>users-unsubscribe at shibboleth.net

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list