Releasing mail as scoped sAMAccoutName for a specific SP

Nilan Morjaria-Patel N.Morjaria-Patel at soton.ac.uk
Tue Jun 15 14:17:32 UTC 2021 

Hi Peter,

Thanks very much for the prompt reply.

I did attempt to do that with the output of aacli being

 "name": "mailFromSAMAccountName",
    "values": [
        "ScopedStringAttributeValue{value=nmp1u14, scope=soton.ac.uk}"
    ]

however the sp could not pick up the scope for some reason. So I resorted to using a script

<!-- UoS: mailFromSAMAccountName: value is scoped so <sAMAccountName>@soton.ac.uk -->
    <AttributeDefinition id="mailFromSAMAccountName" xsi:type="ScriptedAttribute" relyingParties="https://sp.idoxgroup.com/shibboleth">
        <!-- We need LDAP for this attributes value -->
        <InputDataConnector ref="uos_ldap" attributeNames="sAMAccountName" />
    <!-- How to encode the attribute in SAML -->
        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />

    <!-- The script -->
        <Script><![CDATA[
        mailFromSAMAccountName.addValue(sAMAccountName.getValues().get(0) + "@%{idp.scope}");
    ]]></Script>
    </AttributeDefinition>

which resulted in

"name": "mailFromSAMAccountName",
    "values": [
        "StringAttributeValue{value=nmp1u14 at soton.ac.uk}"
    ]

Not sure if this is the "best" way but it works.

Thanks
Nilan
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Peter Schober <peter.schober at univie.ac.at>
Sent: 14 June 2021 17:06
To: users at shibboleth.net <users at shibboleth.net>
Subject: Re: Releasing mail as scoped sAMAccoutName for a specific SP

CAUTION: This e-mail originated outside the University of Southampton.

* Nilan Morjaria-Patel <N.Morjaria-Patel at soton.ac.uk> [2021-06-14 17:44]:
> I require help regarding the above. I have the following script in
> attribute-resolver.xml where the SP's only requirement is
> mail. However our users can change their mail prefix so we want to
> release the scoped sAMAccoutName instead.

You'd use a Scoped attribute definition that slaps on %{idp.scope} to
your sAMAccoutName attribute.
Then an Encoder to send it as mail attribute with a relyingParties
XML-attribute enumerating the SPs that require this hack.

No scripting necessary and likely will fix your issue of duplicate
values, too.

-peter
--
For Consortium Member technical support, see https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg&data=04%7C01%7Cn.morjaria-patel%40soton.ac.uk%7Cb127ab8f3cf34438fb2808d92f4e6a45%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637592836108780555%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=odjq3J60iFRTmULIUZqsOotVOMI%2FImFEYSC8KBtt1Fg%3D&reserved=0
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210615/4d0dd444/attachment.htm>

More information about the users mailing list