attribute resolver, filter, and value munging

Christopher Bongaarts cab at umn.edu
Fri Apr 29 18:48:12 UTC 2022


On 4/29/2022 1:27 PM, Zach Hanson-Hart wrote:
> We have LDAP groups (object classes: eduMember, organizationalUnit).  
> These have delegated management in various OUs, and each SP would have 
> groups under some base DN.
>
> We want to release only the leaf OU for groups that are under a base 
> DN, where the base DN is dependent on the SP.  That is, we want to 
> filter per SP based on the full DN, but release only the leaf OU.
> [...]
> We could create a scripted attribute resolver that takes the DNs and 
> does the logic of figuring out what to include.  But, it sounds like 
> that requires a separate attribute per SP, and again would not scale 
> well.


This was the first solution that came to my mind; the question would be 
whether the script has access to the SP entity ID at attribute 
resolution time (I think it does, but you might have to do a little work 
to extract it from the ProfileRequestContext->RelyingPartyContext).


If not scripting a filter seems like a reasonable choice; again using 
the SP entity ID to identify a base DN to release.


Both of these assume you have some means of deriving the base DN from 
the SP entity ID, either directly, or (less scalably) a mapping table.

-- 
%%  Christopher A. Bongaarts   %%cab at umn.edu           %%
%%  OIT - Identity Management  %%http://umn.edu/~cab   %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220429/70e25627/attachment.htm>


More information about the users mailing list