authentication positive - attributes negative
Pfeuffer, Susanne
Susanne.Pfeuffer at dhbw.de
Mon Mar 2 07:12:17 EST 2020
Hi there,
Hope anybody can help me.
I can succesfully login to dfn testservers but I don't get attributes. I think it hase to do with the 3 LDAP Servers I'm looking form my Users.
With only one LDAP everything works just fine...
So please help
Greetz
Susie
Attribute-resolver:
<?xml version="1.0" encoding="UTF-8"?>
<AttributeResolver
xmlns="urn:mace:shibboleth:2.0:resolver"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
<!-- ========================================== -->
<!-- Attribute Definitions -->
<!-- ========================================== -->
<!-- Attribute aus Userangaben -->
<AttributeDefinition id="uid" xsi:type="PrincipalName">
<DisplayName xml:lang="en">User Name</DisplayName>
<DisplayName xml:lang="de">Nutzerkennung</DisplayName>
<DisplayDescription xml:lang="en">Local User Id</DisplayDescription>
<DisplayDescription xml:lang="de">Nutzerkennung der Heimateinrichtung</DisplayDescription>
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
</AttributeDefinition>
<!--- Attribute aus dem IdM -->
<AttributeDefinition xsi:type="Simple" id="organizationName" sourceAttributeID="o">
<InputDataConnector ref="myLDAP" attributeNames="o"/>
<InputDataConnector ref="myLDAP1" attributeNames="o"/>
<InputDataConnector ref="myLDAP2" attributeNames="o"/>
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition id="mail" xsi:type="Simple">
<InputDataConnector ref="myLDAP" attributeNames="mail"/>
<InputDataConnector ref="myLDAP1" attributeNames="mail"/>
<InputDataConnector ref="myLDAP2" attributeNames="mail"/>
<DisplayName xml:lang="en">E-mail</DisplayName>
<DisplayName xml:lang="de">E-Mail</DisplayName>
<DisplayDescription xml:lang="en">E-Mail address</DisplayDescription>
<DisplayDescription xml:lang="de">E-Mail Adresse</DisplayDescription>
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition id="surname" xsi:type="Simple">
<InputDataConnector ref="myLDAP" attributeNames="sn"/>
<InputDataConnector ref="myLDAP1" attributeNames="sn"/>
<InputDataConnector ref="myLDAP2" attributeNames="sn"/>
<DisplayName xml:lang="en">Surname</DisplayName>
<DisplayName xml:lang="de">Nachname</DisplayName>
<DisplayDescription xml:lang="en">Surname or family name</DisplayDescription>
<DisplayDescription xml:lang="de">Familienname des Nutzers bzw. der Nutzerin</DisplayDescription>
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition id="givenName" xsi:type="Simple">
<InputDataConnector ref="myLDAP" attributeNames="givenName"/>
<InputDataConnector ref="myLDAP1" attributeNames="givenName"/>
<InputDataConnector ref="myLDAP2" attributeNames="givenName"/>
<DisplayName xml:lang="en">Given name</DisplayName>
<DisplayName xml:lang="de">Vorname</DisplayName>
<DisplayDescription xml:lang="en">Given name of a person</DisplayDescription>
<DisplayDescription xml:lang="de">Vorname des Nutzers bzw. der Nutzerin</DisplayDescription>
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
</AttributeDefinition>
<!-- eduPersonAffiliaton aus dem 'memberof' herausholen -->
<AttributeDefinition xsi:type="Mapped" id="eduPersonAffiliation">
<InputDataConnector ref="myLDAP" attributeNames="memberOf"/>
<InputDataConnector ref="myLDAP1" attributeNames="memberOf"/>
<InputDataConnector ref="myLDAP2" attributeNames="memberOf"/>
<DisplayName xml:lang="en">Affiliation type</DisplayName>
<DisplayName xml:lang="de">Zugehörigkeit</DisplayName>
<DisplayDescription xml:lang="en">Type of affiliation with Home Organization</DisplayDescription>
<DisplayDescription xml:lang="de">Art der Zugehörigkeit zur Heimateinrichtung</DisplayDescription>
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonAffiliation" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" />
<!-- default 'affiliate', damit immer mindestens ein Wert vorhanden ist -->
<DefaultValue>affiliate</DefaultValue>
<!-- Mapping der Gruppen aus dem IdM jede Gruppe bekommt eine eigene eduPersonAffiliation
und zusätzlich "member" sofern "Angehörige" im Sinne LHG -->
<ValueMap>
<ReturnValue>student</ReturnValue>
<SourceValue ignoreCase="true">cn=Shibboleth-Studenten.+</SourceValue>
</ValueMap>
<ValueMap>
<ReturnValue>staff</ReturnValue>
<SourceValue ignoreCase="true">cn=Shibboleth-Member.+</SourceValue>
<SourceValue ignoreCase="true">cn=Shibboleth-Dozenten,.+</SourceValue>
<SourceValue ignoreCase="true">cn=Shibboleth-Mitarbeiter,.+</SourceValue>
</ValueMap>
<ValueMap>
<ReturnValue>member</ReturnValue>
<SourceValue ignoreCase="true">cn=Shibboleth-Studenten.+</SourceValue>
<SourceValue ignoreCase="true">cn=Shibboleth-Member,.+</SourceValue>
<SourceValue ignoreCase="true">cn=Shibboleth-Mitarbeiter,.+</SourceValue>
<SourceValue ignoreCase="true">cn=Shibboleth-Dozenten,.+</SourceValue>
</ValueMap>
</AttributeDefinition>
<!-- eduPersonScopedAffiliation aus eduPersonAffiliation bilden -->
<AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}">
<InputAttributeDefinition ref="eduPersonAffiliation"/>
<DisplayName xml:lang="en">Affiliation type (with institution)</DisplayName>
<DisplayName xml:lang="de">Zugehörigkeit (+ Einrichtung)</DisplayName>
<DisplayDescription xml:lang="en">Type of affiliation with Home Organization with scope</DisplayDescription>
<DisplayDescription xml:lang="de">Art der Zugehörigkeit zur Heimateinrichtung mit Geltungsbereich</DisplayDescription>
<AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
<AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
</AttributeDefinition>
<!-- eduPersonEntitlement je nach eduPersonAffiliation setzen -->
<AttributeDefinition xsi:type="ScriptedAttribute" id="eduPersonEntitlement">
<InputAttributeDefinition ref="eduPersonAffiliation" />
<DisplayName xml:lang="en">Entitlement</DisplayName>
<DisplayName xml:lang="de">Berechtigung</DisplayName>
<DisplayDescription xml:lang="en">URI that indicates a set of rights to specific resources</DisplayDescription>
<DisplayDescription xml:lang="de">Zeichenkette, die Rechte für spezifische Ressourcen beschreibt</DisplayDescription>
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" />
<Script>
<![CDATA[
if (eduPersonAffiliation.getValues().contains("member")) {
eduPersonEntitlement.getValues().add("urn:mace:dir:entitlement:common-lib-terms");
}
]]>
</Script>
</AttributeDefinition>
<!-- ========================================== -->
<!-- Data Connectors -->
<!-- ========================================== -->
<DataConnector id="myLDAP" xsi:type="LDAPDirectory"
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
principal="%{idp.attribute.resolver.LDAP.bindDN}"
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
>
<FilterTemplate>
<![CDATA[
%{idp.attribute.resolver.LDAP.searchFilter}
]]>
</FilterTemplate>
<ConnectionPool
minPoolSize="%{idp.pool.LDAP.minSize:3}"
maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
</DataConnector>
<DataConnector id="myLDAP1" xsi:type="LDAPDirectory"
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL.1}"
baseDN="%{idp.attribute.resolver.LDAP.baseDN.1}"
principal="%{idp.attribute.resolver.LDAP.bindDN.1}"
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential.1}"
useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
>
<FilterTemplate>
<![CDATA[
%{idp.attribute.resolver.LDAP.searchFilter}
]]>
</FilterTemplate>
<ConnectionPool
minPoolSize="%{idp.pool.LDAP.minSize:3}"
maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
</DataConnector>
<DataConnector id="myLDAP2" xsi:type="LDAPDirectory"
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL.2}"
baseDN="%{idp.attribute.resolver.LDAP.baseDN.2}"
principal="%{idp.attribute.resolver.LDAP.bindDN.2}"
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential.2}"
useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
>
<FilterTemplate>
<![CDATA[
%{idp.attribute.resolver.LDAP.searchFilter}
]]>
</FilterTemplate>
<ConnectionPool
minPoolSize="%{idp.pool.LDAP.minSize:3}"
maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
</DataConnector>
</AttributeResolver>
Attribute-Filter:
<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
xmlns="urn:mace:shibboleth:2.0:afp"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
<!-- Release some attributes to an SP. -->
<!-- DFN Test SPs -->
<AttributeFilterPolicy id="dfn_test_sps">
<PolicyRequirementRule xsi:type="OR">
<Rule xsi:type="Requester" value="https://testsp.aai.dfn.de/shibboleth" />
<Rule xsi:type="Requester" value="https://testsp2.aai.dfn.de/shibboleth" />
<Rule xsi:type="Requester" value="https://testsp3.aai.dfn.de/shibboleth" />
</PolicyRequirementRule>
<AttributeRule attributeID="uid" permitAny="true"/>
<AttributeRule attributeID="eduPersonPrincipalName" permitAny="true"/>
<AttributeRule attributeID="mail" permitAny="true"/>
<AttributeRule attributeID="surname" permitAny="true"/>
<AttributeRule attributeID="organizationName" permitAny="true"/>
<AttributeRule attributeID="givenName" permitAny="true"/>
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="OR">
<Rule xsi:type="Value" value="student" />
<Rule xsi:type="Value" value="member" />
<Rule xsi:type="Value" value="staff" />
</PermitValueRule>
</AttributeRule>
</AttributeFilterPolicy>
<!-- Anonyme Angaben können an alle SP freigegeben werden,
damit sind fast alle Verlags-SPs in der Föderation schon zufrieden -->
<AttributeFilterPolicy id="LibraryTermsToAnyone">
<PolicyRequirementRule xsi:type="ANY" />
<AttributeRule attributeID="eduPersonEntitlement">
<PermitValueRule xsi:type="Value" value="urn:mace:dir:entitlement:common-lib-terms"/>
</AttributeRule>
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="OR">
<Rule xsi:type="Value" value="member" ignoreCase="true" />
<Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
</PermitValueRule>
</AttributeRule>
</AttributeFilterPolicy>
</AttributeFilterPolicyGroup>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200302/fa42b8b8/attachment.html>
More information about the users
mailing list