You will need to add the following to your AttributeResolverConfiguration: Addition to attribute-resolver.xml Code Block |
---|
| <AttributeDefinition id="canonicalName" xsi:type="SubjectDerivedAttribute"
forCanonicalization="true"
principalAttributeName="eduPersonPrincipalName" /> |
The id there is arbitrary, it just delineates the result as a particular piece of data sourced from the proxied IdP and to be used to establish the normalized name. The forCanonicalization flag designates that the source of this is the intermediate result undergoing c14n and never data that is normally floating around the system after authentication. Once you have that, you must then configure the attribute post-login c14n flow in the typical manner by pointing it at "canonicalName" as its source: conf/c14n/subject-c14n.xml Code Block |
---|
| <!-- Remove comment tags to enable Attribute-based c14n -->
<bean id="c14n/attribute" parent="shibboleth.PostLoginSubjectCanonicalizationFlow" /> |
conf/c14n/attribute-sourced-subject-c14n-config.xml Code Block |
---|
| <!--
A list of attributes to resolve for normalizing the subject. For example, you might
intend to lookup a name in a directory based on what the user entered. You can make this
an empty list if you just want to resolve everything you normally would.
-->
<util:list id="shibboleth.c14n.attribute.AttributesToResolve">
<value>canonicalName</value>
</util:list>
<!--
A list of attributes to search for a value to produce as the normalized subject name.
This will normally be something you resolve above.
-->
<util:list id="shibboleth.c14n.attribute.AttributeSourceIds">
<value>canonicalName</value>
</util:list> |
With newer versions, all you have to do is to configure the attribute post-login c14n flow via properties by pointing it at "eduPersonPrincipalName" as a source. The properties to enable this are commented out in conf/c14n/subject-c14n.properties and are noted below. conf/c14n/subject-c14n.xml Code Block |
---|
| <!-- Remove comment tags to enable Attribute-based c14n -->
<bean id="c14n/attribute" parent="shibboleth.PostLoginSubjectCanonicalizationFlow" /> |
conf/c14n/subject-c14n.properties Code Block |
---|
idp.c14n.attribute.attributeSourceIds = eduPersonPrincipalName
# Allows direct use of attributes via SAML proxy authn, bypasses resolver
idp.c14n.attribute.resolveFromSubject = true
idp.c14n.attribute.resolutionCondition = shibboleth.Conditions.FALSE |
|