release the exact ldap attribute value
Ian Bobbitt
ibobbitt at globalnoc.iu.edu
Wed Nov 20 11:14:24 EST 2019
On 11/20/19 8:20 AM, Souleye Ndiaye wrote:
>
> Hi,
>
> how can i tell the idP to return the exact LDAP value (e.g. uid)
> instead the user entry during authentication? I want to achieve that a
> uid „case matching“ between SP and LDAP is guaranteed.
>
You can access LDAP attributes with a Simple AttributeDefinition
<https://wiki.shibboleth.net/confluence/display/IDP30/SimpleAttributeDefinition>.
The example attribute-resolver-ldap.xml configuration file contains
pretty much exactly what you want.
<AttributeDefinition id="uid" xsi:type="Simple" >
<InputDataConnector ref="myLDAP" attributeNames="uid"/>
<AttributeEncoder xsi:type="SAML1String"
name="urn:mace:dir:attribute-def:uid" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String"
name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid"
encodeType="false" />
</AttributeDefinition>
The usual caveats apply. Case sensitivity for usernames is going to
cause problems for you at some point. Unscoped usernames are unsafe in a
federated environment.
>
> Version: 3.3.1
>
This is very old. 3.3.1 was released in March 2017. There are a lot of
bug fixes, feature improvements, and a handful of security advisories
that may or may not apply to your particular configuration.
<https://wiki.shibboleth.net/confluence/display/IDP30/ReleaseNotes>
>
> Best regards
>
> Souleye
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4090 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20191120/385f6f58/attachment.p7s>
More information about the users
mailing list