Versions Compared

Old Version 2

changes.mady.by.user Ann Kitalong-Will

Saved on

compared with

New Version 10

changes.mady.by.user Shilen Patel (duke.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

...

Institutions may want to release group information to Shibboleth Service Providers in a secure way when a user is accessing a site.  Here are some ways to do that. You may also want to see the page on Grouper and Shibboleth Integration.

Sending the isMemberOf attribute

...

Code Block
    <resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
        ldapURL="ldaps://ldap.example.org" baseDN="dc=example,dc=org" principal="cn=directory manager"
        principalCredential="password" poolInitialSize="3" poolMaxIdleSize="3">
        <FilterTemplate>
            <![CDATA[
                (uid=$requestContext.principalName)
            ]]>
        </FilterTemplate>
    </resolver:DataConnector>

    <resolver:AttributeDefinition id="isMemberOf" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
        sourceAttributeID="isMemberOf">
        <resolver:Dependency ref="myLDAP" />

        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            name="urn:mace:dir:attribute-def:isMemberOfoid:1.3.6.1.4.1.5923.1.5.1.1" />

        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" friendlyName="isMemberOf" />
    </resolver:AttributeDefinition>

...

Code Block
    <resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
        ldapURL="ldaps://ldap.example.org" baseDN="dc=example,dc=org" principal="cn=directory manager"
        principalCredential="password" poolInitialSize="3" poolMaxIdleSize="3"
        maxResultSize="500" mergeResults="true" >
        <FilterTemplate>
            <![CDATA[
                (member=uid=${requestContext.principalName})
            ]]>
        </FilterTemplate>
        <ReturnAttributes>cn</ReturnAttributes>
    </resolver:DataConnector>

    <resolver:AttributeDefinition id="isMemberOf" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
        sourceAttributeID="cn">
        <resolver:Dependency ref="myLDAP" />

        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            name="urn:mace:dir:attribute-def:isMemberOfoid:1.3.6.1.4.1.5923.1.5.1.1" />

        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" friendlyName="isMemberOf" />
    </resolver:AttributeDefinition>

...

Your filters for this attribute would look similar to those for the raw isMemberOf attribute filters.

...