Translating a objectGUID from base64 to friendly format

RFC 4122 GUIDs can be represented in a few different ways. The most common are as a Base64 encoded string or as a friendly hexadecimal string.

Active Directory’s objectGUID is one such type of GUID. Typically it will be available within an IdP as a Base64 encoded string such as:

WchW1G0g6UegSkcmTvRtrA==

Some software will may expect this in the friendly format:

d456c859-206d-47e9-a04a-47264ef46dac

To translate the value retrieved by, for example, an LDAPDirectory data connector (with BinaryAttributes configured!) into this friendly value can be achieved using a ScriptedAttribute definition:

<DataConnector id="myLDAP" xsi:type="LDAPDirectory" ... >
    <BinaryAttributes>
        objectGUID
    </BinaryAttributes>
</DataConnector>

<AttributeDefinition id="objectGUID_friendly" xsi:type="ScriptedAttribute" dependencyOnly="true">
    <InputDataConnector ref="myLDAP" attributeNames="objectGUID" />

    <Script><![CDATA[
        if (typeof objectGUID == "undefined" || objectGUID.getValues().size() < 1) {
            // do nothing as objectGUID isn't set
        } else {
            guid_bytes = java.util.Base64.decoder.decode(
                objectGUID.getValues().get(0).getBytes(java.nio.charset.StandardCharsets.UTF_8)
            );
            var jString = Java.type("java.lang.String");

            guid_f = "";
            guid_f += jString.format("%02x", guid_bytes[3] & 0xff);
            guid_f += jString.format("%02x", guid_bytes[2] & 0xff);
            guid_f += jString.format("%02x", guid_bytes[1] & 0xff);
            guid_f += jString.format("%02x", guid_bytes[0] & 0xff);
            guid_f += "-";
            guid_f += jString.format("%02x", guid_bytes[5] & 0xff);
            guid_f += jString.format("%02x", guid_bytes[4] & 0xff);
            guid_f += "-";
            guid_f += jString.format("%02x", guid_bytes[7] & 0xff);
            guid_f += jString.format("%02x", guid_bytes[6] & 0xff);
            guid_f += "-";
            guid_f += jString.format("%02x", guid_bytes[8] & 0xff);
            guid_f += jString.format("%02x", guid_bytes[9] & 0xff);
            guid_f += "-";
            guid_f += jString.format("%02x", guid_bytes[10] & 0xff);
            guid_f += jString.format("%02x", guid_bytes[11] & 0xff);
            guid_f += jString.format("%02x", guid_bytes[12] & 0xff);
            guid_f += jString.format("%02x", guid_bytes[13] & 0xff);
            guid_f += jString.format("%02x", guid_bytes[14] & 0xff);
            guid_f += jString.format("%02x", guid_bytes[15] & 0xff);

            objectGUID_friendly.addValue(guid_f);
        }
        ]]></Script>
</AttributeDefinition>

The objectGUID_friendly attribute can then be used in other attribute definitions (or passed out directly if you remove the dependencyOnly="true" setting).

For example:

<AttributeDefinition id="msft_objectidentifier" xsi:type="Simple">
  <InputAttributeDefinition ref="objectGUID_friendly"/>
  <AttributeEncoder xsi:type="SAML2String"
    name="http://schemas.microsoft.com/identity/claims/objectidentifier"
    friendlyName="objectidentifier"/>
</AttributeDefinition>