Include Page | ||||
---|---|---|---|---|
|
Institutions may want to release group information to Shibboleth Service Providers in a secure way when a user is accessing a site. Here are some ways to do that. You may also want to see the page on Grouper and Shibboleth Integration.
Sending the isMemberOf attribute
...
Code Block |
---|
<resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc" ldapURL="ldaps://ldap.example.org" baseDN="dc=example,dc=org" principal="cn=directory manager" principalCredential="password" poolInitialSize="3" poolMaxIdleSize="3"> <FilterTemplate> <![CDATA[ (uid=$requestContext.principalName) ]]> </FilterTemplate> </resolver:DataConnector> <resolver:AttributeDefinition id="isMemberOf" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="isMemberOf"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:isMemberOfoid:1.3.6.1.4.1.5923.1.5.1.1" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" friendlyName="isMemberOf" /> </resolver:AttributeDefinition> |
...
Code Block |
---|
<resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc" ldapURL="ldaps://ldap.example.org" baseDN="dc=example,dc=org" principal="cn=directory manager" principalCredential="password" poolInitialSize="3" poolMaxIdleSize="3" maxResultSize="500" mergeResults="true" > <FilterTemplate> <![CDATA[ (member=uid=${requestContext.principalName}) ]]> </FilterTemplate> <ReturnAttributes>cn</ReturnAttributes> </resolver:DataConnector> <resolver:AttributeDefinition id="isMemberOf" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="cn"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:isMemberOfoid:1.3.6.1.4.1.5923.1.5.1.1" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" friendlyName="isMemberOf" /> </resolver:AttributeDefinition> |
...