Translating a objectGUID from base64 to friendly format
RFC 4122 GUIDs can be represented in a few different ways. The most common are as a Base64 encoded string or as a friendly hexadecimal string.
Active Directory’s objectGUID
is one such type of GUID. Typically it will be available within an IdP as a Base64 encoded string such as:
WchW1G0g6UegSkcmTvRtrA==
Some software will may expect this in the friendly format:
d456c859-206d-47e9-a04a-47264ef46dac
To translate the value retrieved by, for example, an LDAPDirectory
data connector (with BinaryAttributes
configured!) into this friendly value can be achieved using a ScriptedAttribute
definition:
<DataConnector id="myLDAP" xsi:type="LDAPDirectory" ... >
<BinaryAttributes>
objectGUID
</BinaryAttributes>
</DataConnector>
<AttributeDefinition id="objectGUID_friendly" xsi:type="ScriptedAttribute" dependencyOnly="true">
<InputDataConnector ref="myLDAP" attributeNames="objectGUID" />
<Script><![CDATA[
if (typeof objectGUID == "undefined" || objectGUID.getValues().size() < 1) {
// do nothing as objectGUID isn't set
} else {
guid_bytes = java.util.Base64.decoder.decode(
objectGUID.getValues().get(0).getBytes(java.nio.charset.StandardCharsets.UTF_8)
);
var jString = Java.type("java.lang.String");
guid_f = "";
guid_f += jString.format("%02x", guid_bytes[3] & 0xff);
guid_f += jString.format("%02x", guid_bytes[2] & 0xff);
guid_f += jString.format("%02x", guid_bytes[1] & 0xff);
guid_f += jString.format("%02x", guid_bytes[0] & 0xff);
guid_f += "-";
guid_f += jString.format("%02x", guid_bytes[5] & 0xff);
guid_f += jString.format("%02x", guid_bytes[4] & 0xff);
guid_f += "-";
guid_f += jString.format("%02x", guid_bytes[7] & 0xff);
guid_f += jString.format("%02x", guid_bytes[6] & 0xff);
guid_f += "-";
guid_f += jString.format("%02x", guid_bytes[8] & 0xff);
guid_f += jString.format("%02x", guid_bytes[9] & 0xff);
guid_f += "-";
guid_f += jString.format("%02x", guid_bytes[10] & 0xff);
guid_f += jString.format("%02x", guid_bytes[11] & 0xff);
guid_f += jString.format("%02x", guid_bytes[12] & 0xff);
guid_f += jString.format("%02x", guid_bytes[13] & 0xff);
guid_f += jString.format("%02x", guid_bytes[14] & 0xff);
guid_f += jString.format("%02x", guid_bytes[15] & 0xff);
objectGUID_friendly.addValue(guid_f);
}
]]></Script>
</AttributeDefinition>
The objectGUID_friendly
attribute can then be used in other attribute definitions (or passed out directly if you remove the dependencyOnly="true"
setting).
For example:
<AttributeDefinition id="msft_objectidentifier" xsi:type="Simple">
<InputAttributeDefinition ref="objectGUID_friendly"/>
<AttributeEncoder xsi:type="SAML2String"
name="http://schemas.microsoft.com/identity/claims/objectidentifier"
friendlyName="objectidentifier"/>
</AttributeDefinition>