Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

The following example demonstrates pulling an email address from an LDAP directory, encoding it as a name identifier, and releasing it to Google for use with their Google App products.

Code Block
xml
xml
titleattribute-resolver.xmlxml
<!--
   Attribute definition that expects to get the 'email' attribute from the ldap connector
   defined as its dependency and encode it as a SAML 2 name identifier.
-->
<resolver:AttributeDefinition xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                              id="googleNameID"
                              sourceAttributeID="email">

    <!--
       The data connector expected to provide the source attribute, email.  Note how the
       value of the 'ref' attribute is the identifier given to the LDAP data connector.
    -->
    <resolver:Dependency ref="ldap" />

    <!-- Encoder that transforms the attribute into a SAML2 NameID -->
    <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                               nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />

</resolver:AttributeDefinition>


<!-- An LDAP connector that pulls in, at least, an attribute called email. -->
<resolver:DataConnector xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
                        id="ldap"
                        ldapURL="ldap://directory.example.org"
                        baseDN="ou=people,dc=example,dc=org"
                        principal="shibboleth"
                        principalCredential="$up3r$3cr3+">

    <FilterTemplate>
        <![CDATA[
            (uid=${requestContext.principalName})
        ]]>
    </FilterTemplate>
</resolver:DataConnector>

Code Block
xml
xml
titleattribute-filter.xmlxml
<AttributeFilterPolicy>
    <!--
       Trigger this policy just for Google.  Note, Google uses an entity ID that is not
       standard compliant.  If you're doing this for other services the value should be
       either a URN or URL.
    -->
    <PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com" />

    <!--
       Release any value of the attribute defined to carry the Google App user identifier.
       Note how the value of 'attributeID' matches the ID of the attribute generated by the
       simple attribute definition in the resolver configuration.
    -->
    <AttributeRule attributeID="googleNameID">
        <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>

</AttributeFilterPolicy>


<!--
    NOTE: Google appears to require that *only* the name identifier be returned to them.
    If you return additional attributes by default, you may need to specifically exclude
    Google, or it may fail. E.g., an AttributeFilterPolicy that releases the transientId
    to everyone would be specified as
-->
<AttributeFilterPolicy id="releaseTransientIdToAnyone">
    <!--
       Do not release transientId to Google
    -->
    <PolicyRequirementRule xsi:type="basic:NOT">
        <basic:Rule xsi:type="basic:AttributeRequesterString" value="google.com" />
    </PolicyRequirementRule>

    <AttributeRule attributeID="transientId">
        <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>

</AttributeFilterPolicy>