...
- new install: $IDP_INSTALL_DIR/src/installer/resources/conf-tmpl/attribute-resolver.xm
- maintaining the configuration: $IDP_DIR/conf/attribute-resolver.xml
The "principal name" provided by Kerberos has the format "Principal@DOMAIN.COM".
You need to verify if your attribute-resolver configuration will accept this format.is compatible with the kerberos principal format (principal@REALM.COM).
Example_1: To extract the "principal name" from kerberos principal:
| Code Block |
|---|
(...)
<resolver:AttributeDefinition id="principalName"
xsi:type="ad:PrincipalName"
dependencyOnly="true">
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="krb_principalname"
xsi:type="ad:Mapped"
sourceAttributeID="principalName"
dependencyOnly="true" >
<resolver:Dependency ref="principalName" />
<ad:ValueMap>
<ad:ReturnValue>$1</ad:ReturnValue>
<ad:SourceValue>(.+)@(.+).DOMAIN.COM</ad:SourceValue>
</ad:ValueMap>
</resolver:AttributeDefinition>
(...)
|
!AttentitonAttention: Usually the "principal name" corresponds to the LDAP attribute "sAMAccountName" (limited to 20 characters) in a windows the active directory environment.
Example_2: To extract/format the "realm" from kerberos principal:
...