SP specific password transforms?

Dylan Martin Dylan.Martin at seattlecolleges.edu
Thu Dec 1 15:51:55 EST 2016


Hi all.

I have an IDPv3 and I need to perform different password transforms for two
different SPs.  Is there a way to say to use one transform for one SP and a
different transform for a different SP?

Is there a generic or idiomatic way to make setting only apply to
particular SPs in shibboleth?  I imagine it comes up a lot.
The PolicyRequirementRule in the attribute filter is the closest thing I've
seen, but I doubt that would work in password-authn-config.xml.  Or maybe
I'm thinking about it wrong.  Maybe you add the transform the relaying
party config?

Here's the whole situation, if you haven't already fallen asleep or
answered my question:

We're a campus within a district.  The district recently set up a
district-wide AD server, and I'm using that as the LDAP back-end for my
shib system.  Our Google apps domain is different from the district domain,
but I've set up provisioning so the Google accounts have the same username
part of the user's email address.

EG a google account might look like alice.smith at campus.edu and the district
account might look like alice.smith at district.edu.

Because our Google domain is our own campus thing, it expects logins like
alice.smith at campus.edu.  The other SP we use is set up expects logins like
alice.smith at district.edu.

I set up a regex transform so users could enter just the username or the
username and domain for the SP I've allready got working.  Obviously, this
same transform will not work with google.

Sorry to keep going, but I have a habit of not making sense, so I'm trying
to be thorough.  Please ignore if you like.

User enters username "alice.smith"
Google expects "alice.smith at campus.edu"
Other SP expects "alice.smith at district.edu"

Hopefully that makes sense.  Sorry if this is documented somewhere and I
missed it.

Thanks!
-Dylan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20161201/a9bdb8bb/attachment.html>


More information about the users mailing list