AAD and IDP Shibboleth 3.0 integration

Gustavo Duarte gus.duarte at gmail.com
Thu Mar 12 13:12:43 EDT 2020 

Hi Ray,

This is:

<?xml version="1.0" encoding="UTF-8"?>

<AttributeResolver
        xmlns="urn:mace:shibboleth:2.0:resolver"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver
http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">


    <!-- ========================================== -->
    <!--      Attribute Definitions                 -->
    <!-- ========================================== -->


    <!-- Use AD LDS objectGUID for ImmutableID -->
    <AttributeDefinition id="ImmutableID" xsi:type="Simple"
sourceAttributeID="userPrincipalName">
       <Dependency ref="myLDAP" />
    </AttributeDefinition>

    <!-- mail for Azure AD User ID -->
    <AttributeDefinition id="UserId" xsi:type="Simple"
sourceAttributeID="mail">
       <Dependency ref="myLDAP" />
       <AttributeEncoder xsi:type="SAML2String" name="IDPEmail"
friendlyName="UserId" />
    </AttributeDefinition>


<!--
    The EPPN is the "standard" federated username in higher ed.
    For guidelines on the implementation of this attribute, refer
    to the Shibboleth and eduPerson documentation. Above all, do
    not expose a value for this attribute without considering the
    long term implications.
    -->
    <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped"
scope="%{idp.scope}">
        <InputAttributeDefinition ref="uid" />
        <AttributeEncoder xsi:type="SAML1ScopedString"
name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false"
/>
        <AttributeEncoder xsi:type="SAML2ScopedString"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
friendlyName="eduPersonPrincipalName" encodeType="false" />
    </AttributeDefinition>

    <!--
    The uid is the closest thing to a "standard" LDAP attribute
    representing a local username, but you should generally *never*
    expose uid to federated services, as it is rarely globally unique.
    -->
    <AttributeDefinition id="uid" xsi:type="PrincipalName">
        <AttributeEncoder xsi:type="SAML1String"
name="urn:mace:dir:attribute-def:uid" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2String"
name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid"
encodeType="false" />
    </AttributeDefinition>

    <!--
    In the rest of the world, the email address is the standard identifier,
    despite the problems with that practice. Consider making the EPPN
    value the same as your official email addresses whenever possible.
    -->
    <AttributeDefinition id="mail" xsi:type="Template">
        <InputAttributeDefinition ref="uid" />
        <AttributeEncoder xsi:type="SAML1String"
name="urn:mace:dir:attribute-def:mail" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2String"
name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail"
encodeType="false" />
        <Template>
          <![CDATA[
               ${uid}@example.org
          ]]>
        </Template>
        <SourceAttribute>uid</SourceAttribute>
    </AttributeDefinition>

    <!--
    This is an example of an attribute sourced from a data connector.
    -->
    <AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped"
scope="%{idp.scope}">
        <InputDataConnector ref="staticAttributes"
attributeNames="affiliation" />
        <AttributeEncoder xsi:type="SAML1ScopedString"
name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
encodeType="false" />
        <AttributeEncoder xsi:type="SAML2ScopedString"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
friendlyName="eduPersonScopedAffiliation" encodeType="false" />
    </AttributeDefinition>


    <!-- ========================================== -->
    <!--      Data Connectors                       -->
    <!-- ========================================== -->


    <DataConnector id="staticAttributes" xsi:type="Static">
        <Attribute id="affiliation">
            <Value>member</Value>
        </Attribute>
    </DataConnector>

     <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
        baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
        principal="%{idp.attribute.resolver.LDAP.bindDN}"

principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
        useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:false}"
        connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
        trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
        responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
        <dc: FilterTemplate>
            <![CDATA[
                %{idp.attribute.resolver.LDAP.searchFilter}
            ]]>
        </dc:FilterTemplate>
        <LDAPProperty name="java.naming.ldap.attributes.binary"
value="objectGUID" />
        <ConnectionPool
            minPoolSize="%{idp.pool.LDAP.minSize:3}"
            maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
            blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"

validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
            validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
            expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
            failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}"
/>
    </DataConnector>

</AttributeResolver>




Thanks !!

El jue., 12 mar. 2020 a las 13:55, Ray Bon (<rbon at uvic.ca>) escribió:

> Gustavo,
>
> What is your attribute resolver config?
>
> Ray
>
> On Thu, 2020-03-12 at 13:15 -0300, Gustavo Duarte wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> Hi all,
>
> I'm configuring a Federated domain in my AAD (Azue Active Directory) to be
> authenticated on my Shibboleth IDP.
>
> On IDP side i configured the user with LDAP.
>
> First a i tested this user with https://samltest.id/ online tool and all
> work fine.
>
> When try login with this same  user on: https://portal.office.com/ i'
> redirected to shib IDP login and after write user/pass, following error is
> showed on browser:
>
> AADSTS500082: SAML assertion is not present in the token.
>
> And in my shib idp log the following error is showed.
>
> Profile Action ResolveAttributes: Error resolving attributes: Invalid
> Attribute resolver configuration
>
> What is happening, here ?
>
> Thanks in advance.
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rbon at uvic.ca
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200312/26e3d739/attachment.html>

More information about the users mailing list