/
Kerberos Login Handler - Attribute resolver

The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

Kerberos Login Handler - Attribute resolver

Aug 30, 2011

Attribute resolver - configuration

Configure the attribute-resolver.xml at:

  • new install: $IDP_INSTALL_DIR/src/installer/resources/conf-tmpl/attribute-resolver.xm
  • maintaining the configuration: $IDP_DIR/conf/attribute-resolver.xml

You need to verify if your attribute-resolver configuration is compatible with the kerberos principal format (principal@REALM.COM).

Example_1: To extract the "principal name" from kerberos principal:

(...)
    <resolver:AttributeDefinition id="principalName"
                                  xsi:type="ad:PrincipalName"
                                  dependencyOnly="true">
    </resolver:AttributeDefinition>

    <resolver:AttributeDefinition id="krb_principalname"
                                 xsi:type="ad:Mapped"
                                 sourceAttributeID="principalName"
                                 dependencyOnly="true" >
     <resolver:Dependency ref="principalName" />
     <ad:ValueMap>
         <ad:ReturnValue>$1</ad:ReturnValue>
         <ad:SourceValue>(.+)@(.+).DOMAIN.COM</ad:SourceValue>
     </ad:ValueMap>
    </resolver:AttributeDefinition>
(...)

!Attention: Usually the "principal name" corresponds to the LDAP attribute "sAMAccountName" (limited to 20 characters) in the active directory environment.

Example_2: To extract/format the "realm" from kerberos principal:

(...) 
    <resolver:AttributeDefinition id="krb_domain"
                                 xsi:type="ad:Mapped"
                                 sourceAttributeID="principalName"
                                 dependencyOnly="true" >
     <resolver:Dependency ref="principalName" />
     <ad:ValueMap>
         <ad:ReturnValue>domain_a</ad:ReturnValue>
         <ad:SourceValue>(.+)@REALM_A.DS.COM</ad:SourceValue>
     </ad:ValueMap>
     <ad:ValueMap>
         <ad:ReturnValue>domain_b</ad:ReturnValue>
         <ad:SourceValue>(.+)@REALM_B.DS.COM</ad:SourceValue>
     </ad:ValueMap>
    </resolver:AttributeDefinition>
(...)

Example_3: Query LDAP server:

(...)
    <resolver:DataConnector id="fhnwAdmLDAP"
        xsi:type="dc:LDAPDirectory"
        ldapURL="${ldap.address}"
        baseDN="dc=adm,dc=ds,dc=domain_a,dc=com"
        principal="${ldap.principal}"
        principalCredential="${ldap.credential}" >
      <resolver:Dependency ref="krb_principalname" />
      <resolver:Dependency ref="krb_domain" />
        <dc:FilterTemplate>
<!--
(mail=$requestContext.principalName) - matches UsernamePassword Principal
&(samaccountname=${})(msSFU30NisDomain=${}) - matches Kerberos Principal
-->
            <![CDATA[
                (&(|(mail=$requestContext.principalName)(&(samaccountname=${krb_principalname.get(0)})(msSFU30NisDomain=${krb_domain.get(0)})))(objectclass=user))
            ]]>
        </dc:FilterTemplate>
        <dc:LDAPProperty name="java.naming.referral" value="follow"/>
    </resolver:DataConnector>
(...)