release the exact ldap attribute value

Ian Bobbitt ibobbitt at
Wed Nov 20 11:14:24 EST 2019

On 11/20/19 8:20 AM, Souleye Ndiaye wrote:
> Hi,
> how can i tell the idP to return the exact LDAP value (e.g. uid) 
> instead the user entry during authentication? I want to achieve that a 
>  uid „case matching“ between SP and LDAP is guaranteed.
You can access LDAP attributes with a Simple AttributeDefinition 
The example attribute-resolver-ldap.xml configuration file contains 
pretty much exactly what you want.

     <AttributeDefinition id="uid" xsi:type="Simple" >
         <InputDataConnector ref="myLDAP" attributeNames="uid"/>
         <AttributeEncoder xsi:type="SAML1String" 
name="urn:mace:dir:attribute-def:uid" encodeType="false" />
         <AttributeEncoder xsi:type="SAML2String" 
name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" 
encodeType="false" />

The usual caveats apply. Case sensitivity for usernames is going to 
cause problems for you at some point. Unscoped usernames are unsafe in a 
federated environment.

> Version: 3.3.1
This is very old. 3.3.1 was released in March 2017. There are a lot of 
bug fixes, feature improvements, and a handful of security advisories 
that may or may not apply to your particular configuration. 
> Best regards
> Souleye

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4090 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the users mailing list