X509 login - how to send certificate subject from IdP to SP?

Andrej Gregorka Andrej.Gregorka at ixtlan-team.si
Thu May 7 11:45:24 EDT 2015 

Hello,

I'm trying to setup X509 login handler as described on this page:
https://wiki.shibboleth.net/confluence/display/SHIB2/X.509+Login+Handler


The example there shows how to get atributes from LDAP based on certificate subject.

What if I want to send certficate subject as an attribute from IdP to SP? How can I achieve that?

I tried changinged dependencyOnly="true" to dependencyOnly="false" in following attribute definition and adding <resolver:AttributeEncoder> tag inside it, but then i get the following error in the log file:
15:32:43.159 - ERROR [edu.internet2.middleware.shibboleth.common.config.BaseService:188] - Configuration was not loaded for shibboleth.AttributeResolver service, error creating components.  The root cause of this error was: org.xml.sax.SAXParseException: cvc-complex-type.2.4.d: Invalid content was found starting with element 'resolver:AttributeEncoder'. No child element is expected at this point.


Original:
    <resolver:AttributeDefinition xsi:type="Script"
                                  xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                                  dependencyOnly="true"
                                  id="x500Principal">
        <Script><![CDATA[
            importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
            importPackage(Packages.javax.security.auth.x500);

            x500Principal = new BasicAttribute("x500Principal");
            subject = requestContext.getUserSession().getSubject();
            if (subject != null) {
                x500Principal.getValues().addAll(subject.getPrincipals(X500Principal("").getClass()));
            }
        ]]></Script>

    </resolver:AttributeDefinition>


Modified:
    <resolver:AttributeDefinition xsi:type="Script"
                                  xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                                  dependencyOnly="false"
                                  id="x500Principal">
        <Script><![CDATA[
            importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
            importPackage(Packages.javax.security.auth.x500);

            x500Principal = new BasicAttribute("x500Principal");
            subject = requestContext.getUserSession().getSubject();
            if (subject != null) {
                x500Principal.getValues().addAll(subject.getPrincipals(X500Principal("").getClass()));
            }
        ]]></Script>

        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:sn" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" />
    </resolver:AttributeDefinition>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150507/e83e1184/attachment-0001.html>

More information about the users mailing list