Multiple group memberships
Ian Bobbitt
ibobbitt at globalnoc.iu.edu
Tue Feb 14 16:55:42 EST 2017
Hi,
I'm trying to send along LDAP group memberships to an SP. Piecing together some parts from an old list post
<http://shibboleth.net/pipermail/users/2014-July/016401.html>, I got it passing the first group, but only the one. I'm
using IdP 3.3.0, and my LDAP server doesn't have memberOf. What do I need to do to get this to work?
This is what I get in the SAML message:
<saml2:Attribute FriendlyName="groupMembership" Name="urn:oid:2.16.840.1.113719.1.1.4.1.25"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">cn=...,ou=groups,...</saml2:AttributeValue>
</saml2:Attribute>
This is what I have in my attribute-resolver.xml:
<resolver:AttributeDefinition id="groupMembership" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="entryDN">
<resolver:Dependency ref="groupMembershipDC" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113719.1.1.4.1.25"
friendlyName="groupMembership"/>
</resolver:AttributeDefinition>
<resolver:DataConnector id="groupMembershipDC" xsi:type="dc:LDAPDirectory"
ldapURL="ldaps://..."
baseDN="ou=groups,.."
principal="..."
principalCredential="..."
useStartTLS="false">
<dc:FilterTemplate>
<![CDATA[
(&(objectclass=groupOfNames)(member=uid=${requestContext.principalName},ou=people,...))
]]>
</dc:FilterTemplate>
<dc:ReturnAttributes>entryDN</dc:ReturnAttributes>
<dc:StartTLSTrustCredential xsi:type="sec:X509ResourceBacked" id="LDAP_CA_Certificate">
<sec:Certificate>...</sec:Certificate>
</dc:StartTLSTrustCredential>
</resolver:DataConnector>
I've also tried building it with a ScriptedAttribute and get the same result:
<resolver:AttributeDefinition xsi:type="resolver:ScriptedAttribute" id="groupMembership">
<resolver:Dependency ref="groupMembershipDC" />
<resolver:Script><![CDATA[
logger =
Java.type("org.slf4j.LoggerFactory").getLogger("net.shibboleth.idp.attribute.resolver.groupMembership");
valueType = Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
if (null == groupMembership) {
groupMembership = new BasicAttribute("groupMembership")
}
if (typeof entryDN != "undefined" && entryDN != null ){
for ( i = 0; entryDN != null && i < entryDN.getValues().size(); i++ ){
groupMembership.addValue(new valueType(entryDN.getValues().get(i)));
}
}
]]></resolver:Script>
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113719.1.1.4.1.25"
friendlyName="groupMembership"/>
</resolver:AttributeDefinition>
--
Ian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3639 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20170214/5c1268f1/attachment.p7s>
More information about the users
mailing list