Azure AD Connector from IDP v4.1 - canonicalization failure
Ullfig, Roberto Alfredo
rullfig at uic.edu
Tue Aug 30 18:49:26 UTC 2022
We just want a user identifier from Azure. Here is relevant code:
attribute-resolver.xml:
<AttributeDefinition xsi:type="SubjectDerivedAttribute"
forCanonicalization="true"
id="canonicalNameToUseForJoin"
principalAttributeName="azureName" />
<DataConnector id="passthroughAttributes" xsi:type="Subject"
exportAttributes="azureName" />
attribute-filter.xml:
<AttributeFilterPolicy id="FilterPolicyObject-Proxy-FromAzure-byIssuer-Type">
<PolicyRequirementRule xsi:type="Issuer" value="https://sts.windows.net/e202cd47-7a56-4baa-99e3-e3b71a7c77dd/" />
<AttributeRule attributeID="azureName">
<PermitValueRule xsi:type="ScopeMatchesShibMDScope" />
</AttributeRule>
</AttributeFilterPolicy>
azureClaims.xml:
<bean parent="shibboleth.TranscodingRuleLoader">
<constructor-arg>
<list>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">azureName</prop>
<prop key="transcoder">SAML2ScopedStringTranscoder</prop>
<prop key="saml2.name">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name</prop>
<prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified</prop>
<prop key="displayName.en">Name</prop>
<prop key="description.en">Azure UPN of an account expected to be scoped thus transcoded that way</prop>
</props>
</property>
</bean>
</list>
</constructor-arg>
</bean>
attribute-sourced-subject-c14n-config.xml:
<util:list id="shibboleth.c14n.attribute.AttributesToResolve">
<value>canonicalNameToUseForJoin</value>
</util:list>
<util:list id="shibboleth.c14n.attribute.AttributeSourceIds">
<value>canonicalNameToUseForJoin</value>
</util:list>
subject-c14n.xml:
<bean id="c14n/attribute" parent="shibboleth.PostLoginSubjectCanonicalizationFlow" />
---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott via users <users at shibboleth.net>
Sent: Tuesday, August 30, 2022 1:35 PM
To: Shib Users <users at shibboleth.net>
Cc: Cantor, Scott <cantor.2 at osu.edu>
Subject: Re: Azure AD Connector from IDP v4.1 - canonicalization failure
More to the point, what is the actual goal here?
If you're trying to just pass through a value from Azure, you're on 4.1 so you don't need to be running the resolver. The attribute-sourced method has properties in 4.1 that just directly pull in a decoded IdPAttribute from the IdP, and can disable running the resolver at all. Much less confguration.
-- Scott
--
For Consortium Member technical support, see https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw&data=05%7C01%7Crullfig%40uic.edu%7Cb667db1010f24e96011b08da8ab77e03%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637974817947249905%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3pUSmv0yYqDbTaX6zMO6fOYE13lAOKTY5NzZMfh3tks%3D&reserved=0
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220830/8276738f/attachment.htm>
More information about the users
mailing list