summaryrefslogtreecommitdiff
path: root/idp/template-config/attribute-resolver.xml
diff options
context:
space:
mode:
authorMarkus Krogh <markus@nordu.net>2017-09-29 17:42:03 +0200
committerMarkus Krogh <markus@nordu.net>2017-09-29 17:42:03 +0200
commit35751e3cf89abf69f11dff7f9a3396d8068becc8 (patch)
tree9f20b007e8e787ea1a5345c2b7200018a2727a59 /idp/template-config/attribute-resolver.xml
parentaf0294d5f773bc071128b1ec1712c62f587c7b0a (diff)
Use ENV for persistentiId, logging
Diffstat (limited to 'idp/template-config/attribute-resolver.xml')
-rw-r--r--idp/template-config/attribute-resolver.xml225
1 files changed, 91 insertions, 134 deletions
diff --git a/idp/template-config/attribute-resolver.xml b/idp/template-config/attribute-resolver.xml
index 1020fc4..92fb1bb 100644
--- a/idp/template-config/attribute-resolver.xml
+++ b/idp/template-config/attribute-resolver.xml
@@ -17,38 +17,31 @@
-->
<AttributeResolver
- xmlns="urn:mace:shibboleth:2.0:resolver"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
+ xmlns="urn:mace:shibboleth:2.0:resolver"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
- <!-- ========================================== -->
- <!-- Attribute Definitions -->
- <!-- ========================================== -->
+ <!-- ========================================== -->
+ <!-- Attribute Definitions -->
+ <!-- ========================================== -->
- <!--
+ <!--
The EPPN is the "standard" federated username in higher ed.
For guidelines on the implementation of this attribute, refer
to the Shibboleth and eduPerson documentation. Above all, do
not expose a value for this attribute without considering the
long term implications.
-->
- <!-- This version not used at NORDUnet, see below
- <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
- </AttributeDefinition>
- -->
<!--
The uid is the closest thing to a "standard" LDAP attribute
representing a local username, but you should generally *never*
expose uid to federated services, as it is rarely globally unique.
-->
<AttributeDefinition id="uid" xsi:type="Simple" sourceAttributeID="uid">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" />
</AttributeDefinition>
<!--
@@ -57,52 +50,52 @@
the same as your official email addresses whenever possible.
-->
<AttributeDefinition id="mail" xsi:type="Simple" sourceAttributeID="mail">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
</AttributeDefinition>
<AttributeDefinition id="email" xsi:type="Simple" sourceAttributeID="mail">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
</AttributeDefinition>
<AttributeDefinition id="commonName" xsi:type="Simple" sourceAttributeID="cn">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:cn" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" encodeType="false" />
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:cn" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" />
</AttributeDefinition>
<AttributeDefinition id="displayName" xsi:type="Simple" sourceAttributeID="cn"><!-- yes for ndn ldap this is correct -->
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" />
</AttributeDefinition>
<AttributeDefinition id="surname" xsi:type="Simple" sourceAttributeID="sn">
<Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" />
</AttributeDefinition>
<AttributeDefinition id="organizationName" xsi:type="Simple" sourceAttributeID="o">
<Dependency ref="staticAttributes" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" />
</AttributeDefinition>
<AttributeDefinition id="givenName" xsi:type="Simple" sourceAttributeID="givenName">
<Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" />
</AttributeDefinition>
<!-- Schema: inetOrgPerson attributes-->
<AttributeDefinition id="employeeType" xsi:type="Simple" sourceAttributeID="employeeType">
<Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" />
</AttributeDefinition>
<!-- Schema: eduPerson attributes -->
@@ -129,101 +122,91 @@
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" />
</AttributeDefinition>
- <!-- Idp-Installer: the source for this attribute is from the database StoredId and no longer the classic computedID -->
- <!--
- <AttributeDefinition xsi:type="ad:SAML2NameID" id="eduPersonTargetedID"
- nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" sourceAttributeID="persistentId">
- <Dependency ref="StoredId" />
- <AttributeEncoder xsi:type="enc:SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
- <AttributeEncoder xsi:type="enc:SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
- </AttributeDefinition>
- -->
-
-<AttributeDefinition id="eduPersonPrimaryAffiliation" xsi:type="Simple" sourceAttributeID="eduPersonPrimaryAffiliation">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" encodeType="false" />
-</AttributeDefinition>
+ <AttributeDefinition id="eduPersonPrimaryAffiliation" xsi:type="Simple" sourceAttributeID="eduPersonPrimaryAffiliation">
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" />
+ </AttributeDefinition>
-<AttributeDefinition id="eduPersonPrincipalName" xsi:type="Simple" sourceAttributeID="uid"><!-- In ndn it is uid -->
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
-</AttributeDefinition>
+ <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid"><!-- In ndn it is uid+scope -->
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" />
+ <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" />
+ </AttributeDefinition>
-<AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="nordu.net" sourceAttributeID="employeeType">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
-</AttributeDefinition>
+ <AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="employeeType">
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" />
+ <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" />
+ </AttributeDefinition>
- <!-- from swamid installer -->
+<!-- from swamid installer -->
<AttributeDefinition id="norEduOrgAcronym" xsi:type="Simple" sourceAttributeID="norEduOrgAcronym">
<Dependency ref="staticAttributes" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:norEduOrgAcronym" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.2428.90.1.6" friendlyName="norEduOrgAcronym" />
</AttributeDefinition>
- <AttributeDefinition id="schacHomeOrganization" xsi:type="Simple" sourceAttributeID="schacHomeOrganization">
- <Dependency ref="staticAttributes" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" />
- </AttributeDefinition>
+ <AttributeDefinition id="schacHomeOrganization" xsi:type="Simple" sourceAttributeID="schacHomeOrganization">
+ <Dependency ref="staticAttributes" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" />
+ </AttributeDefinition>
- <AttributeDefinition id="schacHomeOrganizationType" xsi:type="Simple" sourceAttributeID="schacHomeOrganizationType">
- <Dependency ref="staticAttributes" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" />
- </AttributeDefinition>
+ <AttributeDefinition id="schacHomeOrganizationType" xsi:type="Simple" sourceAttributeID="schacHomeOrganizationType">
+ <Dependency ref="staticAttributes" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" />
+ </AttributeDefinition>
- <!-- If we want to use google apps at some point we need: friendlyCountryName, countryName and principal -->
+ <!-- If we want to use google apps at some point we need: friendlyCountryName, countryName and principal -->
- <!-- ========================================== -->
- <!-- Data Connectors -->
- <!-- ========================================== -->
+ <!-- ========================================== -->
+ <!-- Data Connectors -->
+ <!-- ========================================== -->
- <!--
+ <!--
Example LDAP Connector
The connectivity details can be specified in ldap.properties to
share them with your authentication settings if desired.
-->
<DataConnector id="myLDAP" xsi:type="LDAPDirectory"
- ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
- baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
- <FilterTemplate>
- <![CDATA[
- %{idp.attribute.resolver.LDAP.searchFilter}
- ]]>
- </FilterTemplate>
+ ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+ baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
+ <FilterTemplate>
+ <![CDATA[
+ %{idp.attribute.resolver.LDAP.searchFilter}
+ ]]>
+ </FilterTemplate>
</DataConnector>
<DataConnector id="myLDAPGROUPS" xsi:type="LDAPDirectory"
- ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
- baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
- <FilterTemplate>
- <![CDATA[
- %{idp.attribute.resolver.LDAP.searchFilter}
- ]]>
- </FilterTemplate>
- <ReturnAttributes>memberOf</ReturnAttributes>
+ ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+ baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
+ <FilterTemplate>
+ <![CDATA[
+ %{idp.attribute.resolver.LDAP.searchFilter}
+ ]]>
+ </FilterTemplate>
+ <ReturnAttributes>memberOf</ReturnAttributes>
</DataConnector>
- <DataConnector id="staticAttributes" xsi:type="Static">
- <Attribute id="o">
- <Value>NORDUnet A/S</Value>
- </Attribute>
- <Attribute id="schacHomeOrganization">
- <Value>nordu.net</Value>
- </Attribute>
- <Attribute id="schacHomeOrganizationType">
- <Value>urn:schac:homeOrganizationType:int:NREN</Value>
- </Attribute>
- <Attribute id="norEduOrgAcronym">
- <Value>NORDUNet</Value>
- </Attribute>
+ <DataConnector id="staticAttributes" xsi:type="Static">
+ <Attribute id="o">
+ <Value>NORDUnet A/S</Value>
+ </Attribute>
+ <Attribute id="schacHomeOrganization">
+ <Value>nordu.net</Value>
+ </Attribute>
+ <Attribute id="schacHomeOrganizationType">
+ <Value>urn:schac:homeOrganizationType:int:NREN</Value>
+ </Attribute>
+ <Attribute id="norEduOrgAcronym">
+ <Value>NORDUNet</Value>
+ </Attribute>
<Attribute id="staticeduPersonEntitlement">
<Value>urn:mace:dir:entitlement:common-lib-terms</Value>
<Value>urn:mace:terena.org:tcs:escience-user</Value>
@@ -233,34 +216,8 @@
<Value>urn:mace:swami.se:gmai:sunet-iaas:admin</Value>
<Value>urn:mace:swami.se:gmai:sunet-iaas:user</Value>
</Attribute>
- </DataConnector>
-
-
- <!-- Computed targeted ID connector -->
-<!-- The V3 IdP uses a new dedicated service for configuring NameID generation. The legacy V2 approach of encoding attributes into identifiers using attribute-resolver.xml and special attribute encoders that generate NameIdentifiers or NameIDs instead of Attributes is supported for compatibility purposes, but is deprecated and may be removed from a future version.-->
-
-<!-- <DataConnector id="ComputedId" xsi:type="ComputedId"
- generatedAttributeID="computedId"
- sourceAttributeID="uid"
- salt="UnvacNecKidIppayfsAdJogdydrovuvmidMaHym">
- <resolver:Dependency ref="myLDAP" />
- </DataConnector>
-
-also in old format the next block
-<resolver:DataConnector id="StoredId"
- xsi:type="StoredId"
- xmlns="urn:mace:shibboleth:2.0:resolver:dc"
- generatedAttributeID="persistentId"
- sourceAttributeID="uid"
- salt="UnvacNecKidIppayfsAdJogdydrovuvmidMaHym">
- <resolver:Dependency ref="uid" />
- <ApplicationManagedConnection
- jdbcDriver="com.mysql.jdbc.Driver"
- jdbcURL="jdbc:mysql://mysql:3306/shibboleth?autoReconnect=true&amp;useSSL=false"
- jdbcUserName="idp"
- jdbcPassword="shibboleth" />
-</resolver:DataConnector>
--->
+ </DataConnector>
+ <!-- eduPersonTargetdID placeholder -->
</AttributeResolver>
generated by cgit v1.1 at 2026-01-25 10:27:46 +0000