Cunfigure eduPersonTargetedID shibboleth Idp windows 3.4
Aisha Al Fudhaili
aisha at omren.om
Wed Sep 22 11:39:59 UTC 2021
Dear Peter,
Thank you for support. I made the changes but still I got errors. I'm not fully understand how to configure data connector. Could you please show me example. Please see what I did
<AttributeDefinition xsi:type="Scoped" id="samlPairwiseID" scope="%{idp.scope}">
<InputDataConnector ref="computed" attributeNames="computedId"/>
<AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oasis:names:tc:SAML:attribute:pairwise-id" friendlyName="pairwise-id" encodeType="false" />
</AttributeDefinition>
<!-- ========================================== -->
<!-- Data Connectors -->
<!-- ========================================== -->
<DataConnector id="staticAttributes" xsi:type="Static">
<Attribute id="affiliation">
<Value>member</Value>
</Attribute>
</DataConnector>
<DataConnector id="myLDAP" xsi:type="LDAPDirectory"
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}">
<FilterTemplate>
<![CDATA[
%{idp.attribute.resolver.LDAP.searchFilter}
]]>
</FilterTemplate>
</DataConnector>
<DataConnector id="computed" xsi:type="ComputedId"
generatedAttributeID="computedId"
salt="%{idp.persistentId.salt}"
algorithm="%{idp.persistentId.algorithm:SHA}"
encoding="%{idp.persistentId.encoding:BASE32}">
<InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}" />
</DataConnector>
In ldap.poropaties
idp.attribute.resolver.LDAP.ldapURL=%{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.connectTimeout=%{idp.authn.LDAP.connectTimeout:PT3S}
idp.attribute.resolver.LDAP.responseTimeout=%{idp.authn.LDAP.responseTimeout:PT3S}
idp.attribute.resolver.LDAP.baseDN=%{idp.authn.LDAP.baseDN:CN=Users, DC=idp, DC=omren, DC=om}
idp.attribute.resolver.LDAP.bindDN=%{idp.authn.LDAP.bindDN:#Theadminaccount}
idp.attribute.resolver.LDAP.bindDNCredential=%{idp.authn.LDAP.bindDNCredential:#myadminpassword}
idp.attribute.resolver.LDAP.useStartTLS=%{idp.authn.LDAP.useStartTLS:true}
idp.attribute.resolver.LDAP.trustCertificates=%{idp.authn.LDAP.trustCertificates:undefined}
idp.attribute.resolver.LDAP.searchFilter=(sAMAccountName=$resolutionContext.principal)
In log file:
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'myLDAP': Invocation of init method failed; nested exception is java.lang.NullPointerException
-----Original Message-----
From: Peter Schober <peter.schober at univie.ac.at>
Sent: Wednesday, September 22, 2021 1:24 PM
To: Aisha Al Fudhaili <aisha at omren.om>
Cc: Shib Users <users at shibboleth.net>
Subject: Re: Cunfigure eduPersonTargetedID shibboleth Idp windows 3.4
* Aisha Al Fudhaili <aisha at omren.om> [2021-09-22 08:15]:
> I want to release eduPersonTargetedID for eduroam monitor
eduPersonTargetedID is deprecated and should be avoided where possible. I'm aware that the eduroam monitor still uses it but it doesn't require eduPersonTargetedID specifically:
Since 2018 the eduroam monitor or CAT also accepts SAML PairwiseID or SAML Subjectid, the new(er) SAML Standard Identifiers.
(I know because I've worked with Miro and Dubravko to get this to work.)
So instead of trying to add support for something that should no longer be used why not add support for what's increasingly going to be used in many SPs?
But even when using PairwiseID instead of eduPersonTargetedID you'd still have to fix the dependency (InputDataConnector or
InputAttributeDefinition) on your "ComputedId" DataConnector as I previously wrote.
If my explanation was not clear please ask and I can try again.
(Short version: You need to have a user-specific attribute that is different for every subject using yor IDP and use *that* as input to the "ComputedId" DataConnector. Not a static attribute value that's the same for everyone.)
-peter
More information about the users
mailing list