| Include Page | ||||
|---|---|---|---|---|
|
Institutions may want to release group information to Shibboleth Service Providers in a secure way when a user is accessing a site. Here are some ways to do that. You may also want to see the page on Grouper and Shibboleth Integration.
Sending the isMemberOf attribute
...
Suppose you want to release the standard library entitlement, based on membershib membership in one or more groups.
| Code Block |
|---|
<resolver:AttributeDefinition id="memberships" xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="isMemberOf">
<resolver:Dependency ref="myLDAP" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="entitlement_lib" xsi:type="Script"
xmlns="urn:mace:shibboleth:2.0:resolver:ad">
<resolver:Dependency ref="memberships" />
<resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
<resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" />
<Script>
<![CDATA[
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
entitlement = new BasicAttribute("entitlement_lib");
var ngroup = memberships.getValues().size();
for (var i=0; i<ngroup; i++) {
var group = memberships.getValues().get(i);
if (group.equals("uw:student") || group.equals("uw:employee") || group.equals("uw:lib:users") ) {
entitlement.getValues().add('urn:mace:dir:entitlement:common-lib-terms');
break;
}
}
]]>
</Script>
</resolver:AttributeDefinition>
|
...