Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version 2

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Turned XML into code blocks

...

Existing data connector (example)

Code Block
languagexml
titleExample existing data connector
collapsetrue
<DataConnector id="ldap" xsi:type="LDAPDirectory"
    ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
    baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
    principal="%{idp.attribute.resolver.LDAP.bindDN}"
    principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
    trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
    useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS}" >

    <FilterTemplate>
        <![CDATA[
            %{idp.attribute.resolver.LDAP.searchFilter}
        ]]>
    </FilterTemplate>

    <ReturnAttributes>%{idp.attribute.resolver.LDAP.returnAttributes}</ReturnAttributes>

</DataConnector>

...

New data connector
 Code Block
languagexml
titleNew nested group resolver
<!-- Resolve nested groups in AD using the DN of the resolved user -->
<DataConnector id="ldap-groups" xsi:type="LDAPDirectory"
    ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
    baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
    principal="%{idp.attribute.resolver.LDAP.bindDN}"
    principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
    useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS}"
    maxResultSize="0">

    <InputDataConnector ref="ldap" attributeNames="distinguishedName" />

    <FilterTemplate>
        <![CDATA[
            (member:1.2.840.113556.1.4.1941:=$distinguishedName.get(0))
        ]]>
    </FilterTemplate>

    <ReturnAttributes>
        distinguishedName
        sAMAccountName
    </ReturnAttributes>
</DataConnector>




Attribute definition
You now have two (probably multi-valued) attributes available to use. For example you could map them into an affiliation or turn them into entitlements.
 Code Block
languagexml
titleExample attribute definition
collapsetrue
<AttributeDefinition xsi:type="Mapped" id="eduPersonEntitlement">
    <InputDataConnector ref="ldap-groups" attributeNames="distinguishedName" />
    <DefaultValue passThru="false"/>
    <ValueMap>
        <ReturnValue>student</ReturnValue>
        <SourceValue>CN=All Students,OU=Groups,DC=example,DC=ac,DC=uk</SourceValue>
    </ValueMap>
    <ValueMap>
        <ReturnValue>staff</ReturnValue>
        <SourceValue>CN=All Staff,OU=Groups,DC=example,DC=ac,DC=uk</SourceValue>
    </ValueMap>
    <ValueMap>
        <ReturnValue>member</ReturnValue>
        <SourceValue>CN=All Students,OU=Groups,DC=example,DC=ac,DC=uk</SourceValue>
        <SourceValue>CN=All Staff,OU=Groups,DC=example,DC=ac,DC=uk</SourceValue>
    </ValueMap>
...


    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" encodeType="false"/>
 </AttributeDefinition>
...