nameID mutiple activationCondition per SP based on different src Attribute

jehan.procaccia at tem-tsp.eu jehan.procaccia at tem-tsp.eu
Sun Sep 18 13:33:16 UTC 2022 

Hi

I need to send different nameIDs for different SPs.

It works fine for one candidate , here/below with o365 and imutableID 
for candites in Microsoft federation [1]

but how can I add an other AttributeSourceID for other candidates ?

I tried to add a second /<bean 
parent="shibboleth.SAML2AttributeSourcedGenerator/

but It isn't selected when I connected the SPs in the 2nd 
activationCondition list [2] .

I think I don't understand how to cumulates both conditions (different 
source attributes for different SPs)

should the condition be declared in one unique bean 
/shibboleth.SAML2AttributeSourcedGenerator/ ? how ? /
/

I read refernces ://perhaps I missed something .../
/

/https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631713/ActivationConditions 

/

/https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631671/NameIDGenerationConfiguration
/


/[1]
/

/   <!-- SAML 2 NameID Generation -->
     <util:list id="shibboleth.SAML2NameIDGenerators">

         <ref bean="shibboleth.SAML2TransientGenerator" />
         <!-- Persistent ID Generator for all entities except Microsoft -->
     <bean parent="shibboleth.SAML2PersistentGenerator">
         <property name="activationCondition">
             <bean parent="shibboleth.Conditions.NOT">
                 <constructor-arg>
                     <bean parent="shibboleth.Conditions.RelyingPartyId" 
c:candidates="#{{'urn:federation:MicrosoftOnline'}}" />
                 </constructor-arg>
             </bean>
         </property>
         </bean>

          <!-- Microsoft requires a custom Persistent ID Generator that 
sends the AD GUID -->
          <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                 p:attributeSourceIds="#{ {'ImmutableID'} }">
                 <property name="activationCondition">
                          <bean 
parent="shibboleth.Conditions.RelyingPartyId" 
c:candidates="#{{'urn:federation:MicrosoftOnline'}}" />
                 </property>
         </bean>
/


2nd SAML2AttributeSourcedGenerator for specific source Attribute + SPs/
/

/[2]
              <!-- SAML 2 sifi-recette OP 9.3 jehan -->
         <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
         p:omitQualifiers="true"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
         p:attributeSourceIds="#{ {'uid', 'mail'} }">
                <property name="activationCondition">
                 <bean parent="shibboleth.Conditions.RelyingPartyId" >
                 <constructor-arg name="candidates">
                          <list>
<value>https://sp2.domain.fr/shibboleth</value>
<value>https://sp3.dom.eu/shibboleth</value>
                         </list>
                 </constructor-arg>
                 </bean>
         </property>
         </bean>
     </util:list>/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220918/75bcfe2b/attachment.htm>

More information about the users mailing list