Change the "name=" value for the UID attribute definition for specific entityIDs

Joseph Fischetti Joseph.Fischetti at marist.edu
Wed Oct 4 11:37:22 EDT 2017 

There are 2 easy/functional, but maybe not optimal, approaches:

1. Add a new AttributeDefinition in attribute-resolver.xml with a unique id for that service. Specify an encoder in that definition that just defines the name. Then release that attribute to that SP. I've done this for some CAS/pac4j/Shibboleth IDP integration.
<resolver:AttributeDefinition xsi:type="ad:Simple" id="SpecialServiceUid" sourceAttributeID="uid">
<resolver:AttributeEncoder xsi:type="SAML2String" name="uid" />
</resolver:AttributeDefinition>


2. Or: Add another AttributeEncoder to the existing definition with the name="uid" (like above)
The problem with this, is that it'll be included as another saml2:Attribute in every assertion that's sent to every SP that gets uid. I.e. Every SP that gets "uid" will get the following. I'm sure there are more downsides than just cluttered assertions, but I don't know.

<saml2:Attribute Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">THIS IS THE UID</saml2:AttributeValue>
</saml2:Attribute>

<saml2:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">THIS IT THE UID</saml2:AttributeValue>
</saml2:Attribute>


Joseph Fischetti 
Linux System Administrator 
Marist College 



-----"users" <users-bounces at shibboleth.net> wrote: -----
To: users at shibboleth.net
From: Jay Hoff 
Sent by: "users" 
Date: 10/03/2017 10:34AM
Subject: Change the "name=" value for the UID attribute definition for specific entityIDs

Hello,

Is it possible to change the value for a mapped attribute definition the attribute-resolver.xml for a select few entityIDs, not globally for the IdP? I have the standard definition for the UID attribute in my attribute-resolver.xml file:

    <resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="uid">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" />
    </resolver:AttributeDefinition>

The problem is that I have an SP that requires the released attribute to have to be name=“uid” not name="urn:oid:0.9.2342.19200300.100.1.1” for the “uid” attribute.

The SP sees this:

<saml:AttributeStatement>

<saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="uid">

<saml2:AttributeValue xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsd=" http://www.w3.org/2001/XMLSchema"; xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string”>jeh26</saml2:AttributeValue>

</saml:Attribute>


But they want:


<AttributeStatement>

<Attribute Name="uid">

<AttributeValue>sus21</AttributeValue>

</Attribute>

</AttributeStatement>


In other words it should say uid, not "urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName=“uid”


Any help is much appreciated.


-- 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

[attachment "signature.asc" removed by Joseph Fischetti/ADM/Marist]

More information about the users mailing list