| Note |
|---|
Please read and follow the v5 SAML AuthN documentation first, before or along with using this example. This documentation is not maintained by the development team and may not be entirely accurate or consistent with the software at any given time. It is a complement to the documentation, not a replacement for it. |
...
- For a pass-through proxy approach
- All attributes originate from EntraID and must be released to this Relying Party for the Shibboleth IdP to marshall downstream
- For a hybrid proxy approach
- Technically the single attribute you want to use for user lookup is required.
| Info |
|---|
user.localuserprincipalname is the usual choice for the main user identifier but review your practices carefully. This identifier is ALWAYS in the realm of the EntraID tenant whereas user.userprincipalname may not be for guest users in the EntraID tenant and WILL NOT pass the shib:md scope in your metadata. |
...
| Code Block |
|---|
|
<AttributeFilterPolicy id="FilterPolicyObject-Proxy-FromAzure-byIssuer-Type">
<PolicyRequirementRule xsi:type="Issuer" value="https://sts.windows.net/00BC123-TENANTID-INCLUDING-TRAILING-SLASH/" />
<AttributeRule attributeID="azureDisplayname" permitAny="true" />
<AttributeRule attributeID="azureGivenname" permitAny="true" />
<AttributeRule attributeID="azureSurname" permitAny="true" />
<AttributeRule attributeID="azureAuthnmethodsreferences" permitAny="true" />
<AttributeRule attributeID="azureIdentityprovider" permitAny="true" />
<AttributeRule attributeID="azureTenantid" permitAny="true" />
<AttributeRule attributeID="azureEmailaddress" permitAny="true" />
<AttributeRule attributeID="azureObjectidentifier" permitAny="true" />
<AttributeRule attributeID="azureGroups" permitAny="true" />
<AttributeRule attributeID="azureName">
<PermitValueRule xsi:type="ScopeMatchesShibMDScope" />
</AttributeRule>
</AttributeFilterPolicy> |
...
| Code Block |
|---|
|
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<bean parent="shibboleth.TranscodingRuleLoader">
<constructor-arg>
<list>
<!-- claims relevant to person record -->
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">azureName</prop>
<prop key="transcoder">SAML2ScopedStringTranscoder</prop>
<prop key="saml2.name">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name</prop>
<prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified</prop>
<prop key="displayName.en">Name</prop>
<prop key="description.en">Azure UPN of an account expected to be scoped thus transcoded that way</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">azureEmailaddress</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress</prop>
<prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified</prop>
<prop key="displayName.en">Mail</prop>
<prop key="description.en">Azure emailaddress field of an account</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">azureDisplayname</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">http://schemas.microsoft.com/identity/claims/displayname</prop>
<prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified</prop>
<prop key="displayName.en">Mail</prop>
<prop key="description.en">Azure displayname field of an account</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">azureGivenname</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname</prop>
<prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified</prop>
<prop key="displayName.en">Given name</prop>
<prop key="description.en">Azure given name of an account</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">azureSurname</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname</prop>
<prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified</prop>
<prop key="displayName.en">Surname</prop>
<prop key="description.en">Azure surname of an account</prop>
</props>
</property>
</bean>
<!-- default claims from Azure for any entity -->
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">azureTenantid</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">http://schemas.microsoft.com/identity/claims/tenantid</prop>
<prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified</prop>
<prop key="displayName.en">Tenant ID</prop>
<prop key="description.en">Azure tenantid</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">azureObjectidentifier</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">http://schemas.microsoft.com/identity/claims/objectidentifier</prop>
<prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified</prop>
<prop key="displayName.en">Object Identifier</prop>
<prop key="description.en">Azure object identifier of an account</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">azureIdentityprovider</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">http://schemas.microsoft.com/identity/claims/identityprovider</prop>
<prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified</prop>
<prop key="displayName.en">Identity Provider entityid</prop>
<prop key="description.en">Azure entityID of the tenant in Azure</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">azureAuthnmethodsreferences</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">http://schemas.microsoft.com/claims/authnmethodsreferences</prop>
<prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified</prop>
<prop key="displayName.en">Authnmethodsreferences</prop>
<prop key="description.en">Azure authentication method (password, modern auth? etc)</prop>
</props>
</property>
</bean>
</list> <bean parent="shibboleth.TranscodingProperties">
</constructor-arg> </bean> </beans>
|
2. Update attributes/default-rules.xml to include this new file as a reference by adding this line to it after the last import:
| Code Block |
|---|
|
<import resource="azureClaims.xml" />
|
<property name="properties">
<props merge="true">
<prop key="id">azureGroups</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">http://schemas.microsoft.com/ws/2008/06/identity/claims/groups</prop>
<prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified</prop>
<prop key="displayName.en">Groups</prop>
<prop key="description.en">Azure Group Membership</prop>
</props>
</property>
</bean>
</list>
</constructor-arg>
</bean>
</beans>
|
2. Update attributes/default-rules.xml to include this new file as a reference by adding this line to it after the last import:
| Code Block |
|---|
|
<import resource="azureClaims.xml" />
|
3. Update attribute-resolver.xml to reveal our new attributes from EntraID by adding a new DataConnector:
...
| Code Block |
|---|
|
<AttributeDefinition xsi:type="Simple" id="userPrincipalName">
<InputDataConnector ref="passthroughAttributes" attributeNames="azureName" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="sn">
<InputDataConnector ref="passthroughAttributes" attributeNames="azureSurname" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="givenName">
<InputDataConnector ref="passthroughAttributes" attributeNames="azureGivenname" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="mail">
<InputDataConnector ref="passthroughAttributes" attributeNames="azureEmailaddress" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="displayName">
<InputDataConnector ref="passthroughAttributes" attributeNames="azureDisplayname" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="cn">
<InputDataConnector ref="passthroughAttributes" attributeNames="azureDisplayname" />
</AttributeDefinition>
<DataConnector id="passthroughAttributes" xsi:type="Subject"
exportAttributes="azureName azureEmailaddress azureDisplayname azureGivenname azureSurname azureTenantid azureObjectidentifier azureIdentityprovider azureAuthnmethodsreferences azureGroups" />
|
Proxy Task 6. Handling REFEDS AuthnContext Requests (optional)
...