Versions Compared

Old Version 30

changes.mady.by.user Daniel Lutz

Saved on

compared with

New Version Current

changes.mady.by.user Martin Hitschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Adapt the Cookie name _idp_krb_enabled to what the idp ships with in usere-prefs.vm

...

Code Block
languagejs
titleWhether a cookie has a certain value
collapsetrue
 // Default return value.
var activate = false;

// Check whether the cookie "_idp_krbspnego_enabledautologin" is set.
var cookies = custom.getCookies();
for (var i = 0; i < cookies.length; i++) {
    var cookie = cookies[i];
    if (cookie.getName() == "_idp_krbspnego_enabledautologin" && cookie.getValue != null && cookie.getValue() == "true") {
        activate = true;
    }
}

// Return the result.
activate;

...

Code Block
languagexml
titleFull implementation, including logging
collapsetrue
<bean id="shibboleth.SPNEGO.ActivationCondition" parent="shibboleth.Conditions.Scripted" factory-method="inlineScript"
		p:customObject-ref="shibboleth.HttpServletRequest">
    <constructor-arg>
        <value>
            <![CDATA[
                // This script activates SPNEGO if the client is part
                // of the network 192.168.42.0/24, the user agent's
                // identifier string contains the term "Kerberos",
                // or the cookie "_idp_krbspnego_enabledautologin" is set to "true".

                // Create logger object. (Syntax for Java 1.8/Nashorn.)
				var logger = Java.type("org.slf4j.LoggerFactory").getLogger("shibboleth.SPNEGO.ActivationCondition");
				// For Java 1.7 do this instead:
				// importPackage(Packages.org.slf4j);
				// logger = LoggerFactory.getLogger("shibboleth.SPNEGO.ActivationCondition");

                // Default return value.
                var activate = false;

                // Make HTTPServletRequest object known as "request".
                var request = custom;

                // Check the client's IP address.
                if (request.remoteAddr.startsWith("192.168.42.")) {
                    logger.debug("Activating SPNEGO for client in network 192.168.42.0/24.");
                    activate = true;
                }

                if (!activate) {
                    // Check the user agent's identifier string.
                    var identifier = request.getHeader("User-Agent");
                    if (identifier != null && identifier.match(/Kerberos/)) {
                        logger.debug("Activating SPNEGO for client with term 'Kerberos' in user agent's identifier string.");
                        activate = true;
                    }
                }

                if (!activate) {
                    // Check whether the cookie "_idp_krbspnego_enabledautologin" is set.
                    var cookies = request.getCookies();
                    for (var i = 0; i < cookies.length; i++) {
                        var cookie = cookies[i];
                        if (cookie.getName() == "_idp_krbspnego_enabledautologin" && cookie.getValue != null && cookie.getValue() == "true") {
                            logger.debug("Activating SPNEGO for client having cookie '_idp_krbspnego_enabledautologin' set to 'true'.");
                            activate = true;
                        }
                    }
                }

                // Return the result.
                activate;
            ]]>
        </value>
    </constructor-arg>
</bean>

...

The following example defines the attributes krb_principalname and krb_domain krbPrincipalname and krbDomain that are used in the user directory lookup filter template:

Code Block
languagexml
titleExtract the username and realm from the Kerberos Principal name (V3.4)
collapsetrue
    <!-- The principal name resulting from the authentication. -->
    <AttributeDefinition id="principalName"
                     xsi:type="PrincipalName"
                     dependencyOnly="true">
</AttributeDefinition>
 
<!-- Extract the simple username from the Kerberos Principal name. -->
<AttributeDefinition id="krb_principalname"
                     xsi:type="Mapped"
                     dependencyOnly="true">
    <InputAttributeDefinition ref="principalName" />
 
    <DefaultValue passThru="true"/>
    <ValueMap>
        <ReturnValue>$1</ReturnValue>
        <SourceValue>(.+)@EXAMPLE.ORG</SourceValue>
    </ValueMap>
</AttributeDefinition>
 
                         xsi:type="PrincipalName"
                         dependencyOnly="true">
    </AttributeDefinition>
 
    <!-- MapExtract the Kerberossimple username realmfrom tothe aKerberos domainPrincipal name. -->
    <AttributeDefinition id="krb_domainkrbPrincipalname"
                     xsi:type="Mapped"
                     dependencyOnly="true">
    <InputAttributeDefinition ref="principalName" />
 
    <DefaultValue passThru="true"/>
    <ValueMap>
        <ReturnValue>domain_a.com</ReturnValue>
        <SourceValue>                         xsi:type="Mapped"
                         dependencyOnly="true">
        <InputAttributeDefinition ref="principalName" />
 
        <DefaultValue passThru="true"/>
        <ValueMap>
            <ReturnValue>$1</ReturnValue>
            <SourceValue>(.+)@EXAMPLE.ORG</SourceValue>
        </ValueMap>
    </AttributeDefinition>
 
    <!-- Map the Kerberos realm to a domain name. -->
    <AttributeDefinition id="krbDomain"
                         xsi:type="Mapped"
                         dependencyOnly="true">
        <InputAttributeDefinition ref="principalName" />

        <DefaultValue passThru="true"/>
        <ValueMap>
            <ReturnValue>domain_a.com</ReturnValue>
            <SourceValue>(.+)@DOMAIN_A.COM</SourceValue>
    </ValueMap>
    <ValueMap>
        <ReturnValue>domainSourceValue>
        </ValueMap>
        <ValueMap>
            <ReturnValue>domain_b.com</ReturnValue>
        <SourceValue>
            <SourceValue>(.+)@DOMAIN_B.COM</SourceValue>
    <
        </ValueMap>
    </AttributeDefinition>
Code Block
languagexml
titleExtract the username and realm from the Kerberos Principal name (V3.3)
collapsetrue
    <!-- The principal name resulting from the authentication. -->
    <resolver:AttributeDefinition id="principalName"
                                  xsi:type="ad:PrincipalName"
                                  dependencyOnly="true">
    </resolver:AttributeDefinition>
 
    <!-- Extract the simple username from the Kerberos Principal name. -->
    <resolver:AttributeDefinition id="krb_principalnamekrbPrincipalname"
                                  xsi:type="ad:Mapped"
                                  sourceAttributeID="principalName"
                                  dependencyOnly="true">
        <resolver:Dependency ref="principalName" />

        <ad:DefaultValue passThru="true"/>
        <ad:ValueMap>
            <ad:ReturnValue>$1</ad:ReturnValue>
            <ad:SourceValue>(.+)@EXAMPLE.ORG</ad:SourceValue>
        </ad:ValueMap>
    </resolver:AttributeDefinition>

    <!-- Map the Kerberos realm to a domain name. -->
    <resolver:AttributeDefinition id="krb_domainkrbDomain"
                                  xsi:type="ad:Mapped"
                                  sourceAttributeID="principalName"
                                  dependencyOnly="true">
        <resolver:Dependency ref="principalName" />

        <ad:DefaultValue passThru="true"/>
        <ad:ValueMap>
            <ad:ReturnValue>domain_a.com</ad:ReturnValue>
            <ad:SourceValue>(.+)@DOMAIN_A.COM</ad:SourceValue>
        </ad:ValueMap>
        <ad:ValueMap>
            <ad:ReturnValue>domain_b.com</ad:ReturnValue>
            <ad:SourceValue>(.+)@DOMAIN_B.COM</ad:SourceValue>
        </ad:ValueMap>
    </resolver:AttributeDefinition>

...

Code Block
languagexml
titleExample LDAP data connector (V3.4)
collapsetrue
    <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
        ...>
     
    <FilterTemplate>
        <>

        <InputAttributeDefinition ref="krbPrincipalname" />
        <InputAttributeDefinition ref="krbDomain" />
        <FilterTemplate>
            <![CDATA[
                            (&(|(sAMAccountName=$resolutionContext.principal)(mail=$resolutionContext.principal)(&(sAMAccountName=${krb_principalname$krbPrincipalname.get(0)})(msSFU30NisDomain=${krb_domain$krbDomain.get(0)})))(objectClass=user))
                    ]]>
    <
        </FilterTemplate>
 
            ...
    </DataConnector>
Code Block
languagexml
titleExample LDAP data connector (V3.3)
collapsetrue
    <resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
        ...>

        <resolver:Dependency ref="krbPrincipalname" />
        <resolver:Dependency ref="krbDomain" />
        <dc:FilterTemplate>
            <![CDATA[
                (&(|(sAMAccountName=$resolutionContext.principal)(mail=$resolutionContext.principal)(&(sAMAccountName=${krb_principalname$krbPrincipalname.get(0)})(msSFU30NisDomain=${krb_domain$krbDomain.get(0)})))(objectClass=user))
            ]]>
        </dc:FilterTemplate>

        ...
    </resolver:DataConnector>

...