Attribute resolver - configuration
Configure the attribute-resolver.xml at:
- new install: $IDP_INSTALL_DIR/src/installer/resources/conf-tmpl/attribute-resolver.xm
- maintaining the configuration: $IDP_DIR/conf/attribute-resolver.xml
The "principal name" provided by Kerberos has the format "Principal@DOMAIN.COM".
You need to verify if your actual configuration will accept this format.
for example: If you was using the e-mail as a principal name, the following "Mapped" attribute definition can be useful:
(...)
<!-- Getting the mail from Kerberos Princial Name -->
<resolver:AttributeDefinition id="myPrincipalName" xsi:type="ad:PrincipalName" />
<resolver:AttributeDefinition xsi:type="ad:Mapped"
id="myPrincipalMail"
sourceAttributeID="myPrincipalName"
dependencyOnly="true" >
<resolver:Dependency ref="myPrincipalName" />
<ad:DefaultValue passThru="true" />
<ad:ValueMap>
<ad:SourceValue>(.+)@DOMAIN_A.COM</ad:SourceValue>
<ad:ReturnValue>$1@subdomain.domain_a.com</ad:ReturnValue>
</ad:ValueMap>
<ad:ValueMap>
<ad:SourceValue>(.+)@DOMAIN_B.COM</ad:SourceValue>
<ad:ReturnValue>$1@subdomain.domain_b.com</ad:ReturnValue>
</ad:ValueMap>
</resolver:AttributeDefinition>
(...)
and With the new attribute "myPrincipalMail" you can, for example, query a LDAP Server:
(...)
<!-- LDAP Connection example -->
<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory" ... >
<resolver:Dependency ref="myPrincipalMail" />
<dc:FilterTemplate>
<![CDATA[
(&(mail=${myPrincipalMail.get(0)}) (objectclass=user))
]]>
</dc:FilterTemplate>
<LDAPProperty name="java.naming.referral" value="follow"/>
</resolver:DataConnector>
(...)