Translating a objectGUID from base64 to friendly format

RFC 4122 GUIDs can be represented in a few different ways. The most common are as a Base64 encoded string or as a friendly hexadecimal string.

Active Directory’s objectGUID is one such type of GUID. Typically it will be available within an IdP as a Base64 encoded string such as:

WchW1G0g6UegSkcmTvRtrA==

Some software will may expect this in the friendly format:

d456c859-206d-47e9-a04a-47264ef46dac

To translate the value retrieved by, for example, an LDAPDirectory data connector (with BinaryAttributes configured!) into this friendly value can be achieved using a ScriptedAttribute definition:

<DataConnector id="myLDAP" xsi:type="LDAPDirectory" ... > <BinaryAttributes> objectGUID </BinaryAttributes> </DataConnector> <AttributeDefinition id="objectGUID_friendly" xsi:type="ScriptedAttribute" dependencyOnly="true"> <InputDataConnector ref="myLDAP" attributeNames="objectGUID" /> <Script><![CDATA[ if (typeof objectGUID == "undefined" || objectGUID.getValues().size() < 1) { // do nothing as objectGUID isn't set } else { guid_bytes = java.util.Base64.decoder.decode( objectGUID.getValues().get(0).getBytes(java.nio.charset.StandardCharsets.UTF_8) ); var jString = Java.type("java.lang.String"); guid_f = ""; guid_f += jString.format("%02x", guid_bytes[3] & 0xff); guid_f += jString.format("%02x", guid_bytes[2] & 0xff); guid_f += jString.format("%02x", guid_bytes[1] & 0xff); guid_f += jString.format("%02x", guid_bytes[0] & 0xff); guid_f += "-"; guid_f += jString.format("%02x", guid_bytes[5] & 0xff); guid_f += jString.format("%02x", guid_bytes[4] & 0xff); guid_f += "-"; guid_f += jString.format("%02x", guid_bytes[7] & 0xff); guid_f += jString.format("%02x", guid_bytes[6] & 0xff); guid_f += "-"; guid_f += jString.format("%02x", guid_bytes[8] & 0xff); guid_f += jString.format("%02x", guid_bytes[9] & 0xff); guid_f += "-"; guid_f += jString.format("%02x", guid_bytes[10] & 0xff); guid_f += jString.format("%02x", guid_bytes[11] & 0xff); guid_f += jString.format("%02x", guid_bytes[12] & 0xff); guid_f += jString.format("%02x", guid_bytes[13] & 0xff); guid_f += jString.format("%02x", guid_bytes[14] & 0xff); guid_f += jString.format("%02x", guid_bytes[15] & 0xff); objectGUID_friendly.addValue(guid_f); } ]]></Script> </AttributeDefinition>

The objectGUID_friendly attribute can then be used in other attribute definitions (or passed out directly if you remove the dependencyOnly="true" setting).

For example:

<AttributeDefinition id="msft_objectidentifier" xsi:type="Simple"> <InputAttributeDefinition ref="objectGUID_friendly"/> <AttributeEncoder xsi:type="SAML2String" name="http://schemas.microsoft.com/identity/claims/objectidentifier" friendlyName="objectidentifier"/> </AttributeDefinition>