...
Code Block |
---|
language | js |
---|
title | Whether a cookie has a certain value |
---|
collapse | true |
---|
|
// Default return value.
var activate = false;
// Check whether the cookie "_idp_krbspnego_enabledautologin" is set.
var cookies = custom.getCookies();
for (var i = 0; i < cookies.length; i++) {
var cookie = cookies[i];
if (cookie.getName() == "_idp_krbspnego_enabledautologin" && cookie.getValue != null && cookie.getValue() == "true") {
activate = true;
}
}
// Return the result.
activate; |
...
Code Block |
---|
language | xml |
---|
title | Full implementation, including logging |
---|
collapse | true |
---|
|
<bean id="shibboleth.SPNEGO.ActivationCondition" parent="shibboleth.Conditions.Scripted" factory-method="inlineScript"
p:customObject-ref="shibboleth.HttpServletRequest">
<constructor-arg>
<value>
<![CDATA[
// This script activates SPNEGO if the client is part
// of the network 192.168.42.0/24, the user agent's
// identifier string contains the term "Kerberos",
// or the cookie "_idp_krbspnego_enabledautologin" is set to "true".
// Create logger object. (Syntax for Java 1.8/Nashorn.)
var logger = Java.type("org.slf4j.LoggerFactory").getLogger("shibboleth.SPNEGO.ActivationCondition");
// For Java 1.7 do this instead:
// importPackage(Packages.org.slf4j);
// logger = LoggerFactory.getLogger("shibboleth.SPNEGO.ActivationCondition");
// Default return value.
var activate = false;
// Make HTTPServletRequest object known as "request".
var request = custom;
// Check the client's IP address.
if (request.remoteAddr.startsWith("192.168.42.")) {
logger.debug("Activating SPNEGO for client in network 192.168.42.0/24.");
activate = true;
}
if (!activate) {
// Check the user agent's identifier string.
var identifier = request.getHeader("User-Agent");
if (identifier != null && identifier.match(/Kerberos/)) {
logger.debug("Activating SPNEGO for client with term 'Kerberos' in user agent's identifier string.");
activate = true;
}
}
if (!activate) {
// Check whether the cookie "_idp_krbspnego_enabledautologin" is set.
var cookies = request.getCookies();
for (var i = 0; i < cookies.length; i++) {
var cookie = cookies[i];
if (cookie.getName() == "_idp_krbspnego_enabledautologin" && cookie.getValue != null && cookie.getValue() == "true") {
logger.debug("Activating SPNEGO for client having cookie '_idp_krbspnego_enabledautologin' set to 'true'.");
activate = true;
}
}
}
// Return the result.
activate;
]]>
</value>
</constructor-arg>
</bean> |
...
The following example defines the attributes krb_principalname
and krb_domain
krbPrincipalname
and krbDomain
that are used in the user directory lookup filter template:
Code Block |
---|
language | xml |
---|
title | Extract the username and realm from the Kerberos Principal name (V3.4) |
---|
collapse | true |
---|
|
<!-- The principal name resulting from the authentication. -->
<AttributeDefinition id="principalName"
xsi:type="PrincipalName"
dependencyOnly="true">
</AttributeDefinition>
<!-- Extract the simple username from the Kerberos Principal name. -->
<AttributeDefinition id="krb_principalname"
xsi:type="Mapped"
dependencyOnly="true">
<InputAttributeDefinition ref="principalName" />
<DefaultValue passThru="true"/>
<ValueMap>
<ReturnValue>$1</ReturnValue>
<SourceValue>(.+)@EXAMPLE.ORG</SourceValue>
</ValueMap>
</AttributeDefinition>
xsi:type="PrincipalName"
dependencyOnly="true">
</AttributeDefinition>
<!-- MapExtract the Kerberossimple username realmfrom tothe aKerberos domainPrincipal name. -->
<AttributeDefinition id="krb_domainkrbPrincipalname"
xsi:type="Mapped"
dependencyOnly="true">
<InputAttributeDefinition ref="principalName" />
<DefaultValue passThru="true"/>
<ValueMap>
<ReturnValue>domain_a.com</ReturnValue>
<SourceValue> xsi:type="Mapped"
dependencyOnly="true">
<InputAttributeDefinition ref="principalName" />
<DefaultValue passThru="true"/>
<ValueMap>
<ReturnValue>$1</ReturnValue>
<SourceValue>(.+)@EXAMPLE.ORG</SourceValue>
</ValueMap>
</AttributeDefinition>
<!-- Map the Kerberos realm to a domain name. -->
<AttributeDefinition id="krbDomain"
xsi:type="Mapped"
dependencyOnly="true">
<InputAttributeDefinition ref="principalName" />
<DefaultValue passThru="true"/>
<ValueMap>
<ReturnValue>domain_a.com</ReturnValue>
<SourceValue>(.+)@DOMAIN_A.COM</SourceValue>
</ValueMap>
<ValueMap>
<ReturnValue>domainSourceValue>
</ValueMap>
<ValueMap>
<ReturnValue>domain_b.com</ReturnValue>
<SourceValue>
<SourceValue>(.+)@DOMAIN_B.COM</SourceValue>
<
</ValueMap>
</AttributeDefinition> |
Code Block |
---|
language | xml |
---|
title | Extract the username and realm from the Kerberos Principal name (V3.3) |
---|
collapse | true |
---|
|
<!-- The principal name resulting from the authentication. -->
<resolver:AttributeDefinition id="principalName"
xsi:type="ad:PrincipalName"
dependencyOnly="true">
</resolver:AttributeDefinition>
<!-- Extract the simple username from the Kerberos Principal name. -->
<resolver:AttributeDefinition id="krb_principalnamekrbPrincipalname"
xsi:type="ad:Mapped"
sourceAttributeID="principalName"
dependencyOnly="true">
<resolver:Dependency ref="principalName" />
<ad:DefaultValue passThru="true"/>
<ad:ValueMap>
<ad:ReturnValue>$1</ad:ReturnValue>
<ad:SourceValue>(.+)@EXAMPLE.ORG</ad:SourceValue>
</ad:ValueMap>
</resolver:AttributeDefinition>
<!-- Map the Kerberos realm to a domain name. -->
<resolver:AttributeDefinition id="krb_domainkrbDomain"
xsi:type="ad:Mapped"
sourceAttributeID="principalName"
dependencyOnly="true">
<resolver:Dependency ref="principalName" />
<ad:DefaultValue passThru="true"/>
<ad:ValueMap>
<ad:ReturnValue>domain_a.com</ad:ReturnValue>
<ad:SourceValue>(.+)@DOMAIN_A.COM</ad:SourceValue>
</ad:ValueMap>
<ad:ValueMap>
<ad:ReturnValue>domain_b.com</ad:ReturnValue>
<ad:SourceValue>(.+)@DOMAIN_B.COM</ad:SourceValue>
</ad:ValueMap>
</resolver:AttributeDefinition> |
...
Code Block |
---|
language | xml |
---|
title | Example LDAP data connector (V3.4) |
---|
collapse | true |
---|
|
<DataConnector id="myLDAP" xsi:type="LDAPDirectory"
...>
<FilterTemplate>
<>
<InputAttributeDefinition ref="krbPrincipalname" />
<InputAttributeDefinition ref="krbDomain" />
<FilterTemplate>
<![CDATA[
(&(|(sAMAccountName=$resolutionContext.principal)(mail=$resolutionContext.principal)(&(sAMAccountName=${krb_principalname$krbPrincipalname.get(0)})(msSFU30NisDomain=${krb_domain$krbDomain.get(0)})))(objectClass=user))
]]>
<
</FilterTemplate>
...
</DataConnector> |
Code Block |
---|
language | xml |
---|
title | Example LDAP data connector (V3.3) |
---|
collapse | true |
---|
|
<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
...>
<resolver:Dependency ref="krbPrincipalname" />
<resolver:Dependency ref="krbDomain" />
<dc:FilterTemplate>
<![CDATA[
(&(|(sAMAccountName=$resolutionContext.principal)(mail=$resolutionContext.principal)(&(sAMAccountName=${krb_principalname$krbPrincipalname.get(0)})(msSFU30NisDomain=${krb_domain$krbDomain.get(0)})))(objectClass=user))
]]>
</dc:FilterTemplate>
...
</resolver:DataConnector> |
...