The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Script Attribute Definition Examples

The following examples are simply that, examples. They do not illustrate all possible configuration properties or features. Refer to the documentation for defining and release new attribute for this information.

Send email Address to Google as Name Identifier

Contributed by: Chad La Joie, SWITCH, Switzerland

The following example demonstrates pulling an email address from an LDAP directory, encoding it as a name identifier, and releasing it to Google for use with their Google App products.

attribute-resolver.xml
<!-- 
   Attribute definition that expects to get the 'email' attribute from the ldap connector
   defined as its dependency and encode it as a SAML 2 name identifier.
-->
<resolver:AttributeDefinition xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                              id="googleNameID"
                              sourceAttributeID="email">

    <!-- 
       The data connector expected to provide the source attribute, email.  Note how the 
       value of the 'ref' attribute is the identifier given to the LDAP data connector. 
    -->
    <resolver:Dependency ref="ldap" />

    <!-- Encoder that transforms the attribute into a SAML2 NameID -->
    <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                               nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />

</resolver:AttributeDefinition>


<!-- An LDAP connector that pulls in, at least, an attribute called email. -->
<resolver:DataConnector xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
                        id="ldap"
                        ldapURL="ldap://directory.example.org"
                        baseDN="ou=people,dc=example,dc=org"
                        principal="shibboleth"
                        principalCredential="$up3r$3cr3+">

    <FilterTemplate>
        <![CDATA[
            (uid=${requestContext.principalName})
        ]]>
    </FilterTemplate>
</resolver:DataConnector>
attribute-filter.xml
<AttributeFilterPolicy>
    <!-- 
       Trigger this policy just for Google.  Note, Google uses an entity ID that is not 
       standard compliant.  If you're doing this for other services the value should be 
       either a URN or URL.
    -->
    <PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com" />

    <-- 
       Release any value of the attribute defined to carry the Google App user identifier.
       Note how the value of 'attributeID' matches the ID of the attribute generated by the
       simple attribute definition in the resolver configuration. 
    -->
    <AttributeRule attributeID="googleNameID">
        <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>

</AttributeFilterPolicy>
  • No labels