Credit should be given to Paul Caskey who provided this approach in July, 2008. There are likely other approaches, but this does work.
In the attribute-resolver.xml file, you first define the principal as an attribute:
<!-- this attribute just returns the username as logged in via JAAS --> <resolver:AttributeDefinition id="principal" xsi:type="PrincipalName" dependencyOnly="true" xmlns="urn:mace:shibboleth:2.0:resolver:ad"> <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /> </resolver:AttributeDefinition> |
Then, strip out the username/uid portion of the principal using the regex split attribute definition:
<!-- This attribute is the above principal name with the kerb realm (e.g. CAMPUS.EDU) split out via regex --> <resolver:AttributeDefinition xsi:type="RegexSplit" dependencyOnly="true" xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="regex_principal_split" sourceAttributeID="principal" regex="^(.*?)@CAMPUS.EDU$"> <resolver:Dependency ref="principal" /> </resolver:AttributeDefinition> |
Finally, you change your LDAP connector filter to look like the following. Note that adding the resolver:Dependency before the FilterTemplate is critical, because otherwise the "regex_principal_split" will not be interpreted correctly in the CDATA section.
<resolver:Dependency ref="regex_principal_split" /> <FilterTemplate> <![CDATA[ (uid=${regex_principal_split.get(0)}) ]]> </FilterTemplate> |