...
The following example demonstrates pulling an email address from an LDAP directory, encoding it as a name identifier, and releasing it to Google for use with their Google App products.
Code Block |
---|
| xml |
---|
| xml |
---|
title | attribute-resolver.xmlxml |
---|
|
<!--
Attribute definition that expects to get the 'email' attribute from the ldap connector
defined as its dependency and encode it as a SAML 2 name identifier.
-->
<resolver:AttributeDefinition xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
id="googleNameID"
sourceAttributeID="email">
<!--
The data connector expected to provide the source attribute, email. Note how the
value of the 'ref' attribute is the identifier given to the LDAP data connector.
-->
<resolver:Dependency ref="ldap" />
<!-- Encoder that transforms the attribute into a SAML2 NameID -->
<resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
</resolver:AttributeDefinition>
<!-- An LDAP connector that pulls in, at least, an attribute called email. -->
<resolver:DataConnector xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="ldap"
ldapURL="ldap://directory.example.org"
baseDN="ou=people,dc=example,dc=org"
principal="shibboleth"
principalCredential="$up3r$3cr3+">
<FilterTemplate>
<![CDATA[
(uid=${requestContext.principalName})
]]>
</FilterTemplate>
</resolver:DataConnector>
|
Code Block |
---|
| xml |
---|
| xml |
---|
title | attribute-filter.xmlxml |
---|
|
<AttributeFilterPolicy>
<!--
Trigger this policy just for Google. Note, Google uses an entity ID that is not
standard compliant. If you're doing this for other services the value should be
either a URN or URL.
-->
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com" />
<!--
Release any value of the attribute defined to carry the Google App user identifier.
Note how the value of 'attributeID' matches the ID of the attribute generated by the
simple attribute definition in the resolver configuration.
-->
<AttributeRule attributeID="googleNameID">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
<!--
NOTE: Google appears to require that *only* the name identifier be returned to them.
If you return additional attributes by default, you may need to specifically exclude
Google, or it may fail. E.g., an AttributeFilterPolicy that releases the transientId
to everyone would be specified as
-->
<AttributeFilterPolicy id="releaseTransientIdToAnyone">
<!--
Do not release transientId to Google
-->
<PolicyRequirementRule xsi:type="basic:NOT">
<basic:Rule xsi:type="basic:AttributeRequesterString" value="google.com" />
</PolicyRequirementRule>
<AttributeRule attributeID="transientId">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
|