Multiple group memberships

Ian Bobbitt ibobbitt at globalnoc.iu.edu
Tue Feb 14 16:55:42 EST 2017 

Hi,

I'm trying to send along LDAP group memberships to an SP. Piecing together some parts from an old list post
<http://shibboleth.net/pipermail/users/2014-July/016401.html>, I got it passing the first group, but only the one. I'm
using IdP 3.3.0, and my LDAP server doesn't have memberOf. What do I need to do to get this to work?

This is what I get in the SAML message:

<saml2:Attribute FriendlyName="groupMembership" Name="urn:oid:2.16.840.1.113719.1.1.4.1.25"
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">cn=...,ou=groups,...</saml2:AttributeValue>
</saml2:Attribute>

This is what I have in my attribute-resolver.xml:

    <resolver:AttributeDefinition id="groupMembership" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="entryDN">
        <resolver:Dependency ref="groupMembershipDC" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113719.1.1.4.1.25"
friendlyName="groupMembership"/>
    </resolver:AttributeDefinition>

    <resolver:DataConnector id="groupMembershipDC" xsi:type="dc:LDAPDirectory"
        ldapURL="ldaps://..."
        baseDN="ou=groups,.."
        principal="..."
        principalCredential="..."
        useStartTLS="false">
        <dc:FilterTemplate>
            <![CDATA[
                (&(objectclass=groupOfNames)(member=uid=${requestContext.principalName},ou=people,...))
            ]]>
        </dc:FilterTemplate>
        <dc:ReturnAttributes>entryDN</dc:ReturnAttributes>
        <dc:StartTLSTrustCredential xsi:type="sec:X509ResourceBacked" id="LDAP_CA_Certificate">
                <sec:Certificate>...</sec:Certificate>
        </dc:StartTLSTrustCredential>
    </resolver:DataConnector>

I've also tried building it with a ScriptedAttribute and get the same result:

    <resolver:AttributeDefinition xsi:type="resolver:ScriptedAttribute" id="groupMembership">
        <resolver:Dependency ref="groupMembershipDC" />
        <resolver:Script><![CDATA[
            logger =
Java.type("org.slf4j.LoggerFactory").getLogger("net.shibboleth.idp.attribute.resolver.groupMembership");
            valueType = Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
            if (null == groupMembership) {
                groupMembership = new BasicAttribute("groupMembership")
            }
            if (typeof entryDN != "undefined" && entryDN != null ){
                for ( i = 0; entryDN != null && i < entryDN.getValues().size(); i++ ){
                    groupMembership.addValue(new valueType(entryDN.getValues().get(i)));
                }
            }
        ]]></resolver:Script>
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113719.1.1.4.1.25"
friendlyName="groupMembership"/>
    </resolver:AttributeDefinition>

-- 
Ian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3639 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20170214/5c1268f1/attachment.p7s>

More information about the users mailing list