summaryrefslogtreecommitdiff
path: root/idp/templates/config/attribute-resolver.xml
diff options
context:
space:
mode:
Diffstat (limited to 'idp/templates/config/attribute-resolver.xml')
-rw-r--r--idp/templates/config/attribute-resolver.xml223
1 files changed, 223 insertions, 0 deletions
diff --git a/idp/templates/config/attribute-resolver.xml b/idp/templates/config/attribute-resolver.xml
new file mode 100644
index 0000000..92fb1bb
--- /dev/null
+++ b/idp/templates/config/attribute-resolver.xml
@@ -0,0 +1,223 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ This file is an EXAMPLE configuration file. While the configuration
+ presented in this example file is semi-functional, it isn't very
+ interesting. It is here only as a starting point for your deployment
+ process.
+
+ Very few attribute definitions and data connectors are demonstrated,
+ and the data is derived statically from the logged-in username and a
+ static example connector.
+
+ Attribute-resolver-full.xml contains more examples of attributes,
+ encoders, and data connectors. Deployers should refer to the Shibboleth
+ documentation for a complete list of components and their options.
+
+ NOTE: This file is from the Nordunet template-config
+
+-->
+<AttributeResolver
+ xmlns="urn:mace:shibboleth:2.0:resolver"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
+
+
+ <!-- ========================================== -->
+ <!-- Attribute Definitions -->
+ <!-- ========================================== -->
+
+ <!--
+ The EPPN is the "standard" federated username in higher ed.
+ For guidelines on the implementation of this attribute, refer
+ to the Shibboleth and eduPerson documentation. Above all, do
+ not expose a value for this attribute without considering the
+ long term implications.
+ -->
+ <!--
+ The uid is the closest thing to a "standard" LDAP attribute
+ representing a local username, but you should generally *never*
+ expose uid to federated services, as it is rarely globally unique.
+ -->
+ <AttributeDefinition id="uid" xsi:type="Simple" sourceAttributeID="uid">
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" />
+ </AttributeDefinition>
+
+ <!--
+ In the rest of the world, the email address is the standard identifier,
+ despite the problems with that practice. Consider making the EPPN value
+ the same as your official email addresses whenever possible.
+ -->
+ <AttributeDefinition id="mail" xsi:type="Simple" sourceAttributeID="mail">
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
+ </AttributeDefinition>
+
+ <AttributeDefinition id="email" xsi:type="Simple" sourceAttributeID="mail">
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
+ </AttributeDefinition>
+
+ <AttributeDefinition id="commonName" xsi:type="Simple" sourceAttributeID="cn">
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:cn" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" />
+ </AttributeDefinition>
+
+ <AttributeDefinition id="displayName" xsi:type="Simple" sourceAttributeID="cn"><!-- yes for ndn ldap this is correct -->
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" />
+ </AttributeDefinition>
+
+ <AttributeDefinition id="surname" xsi:type="Simple" sourceAttributeID="sn">
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" />
+ </AttributeDefinition>
+
+ <AttributeDefinition id="organizationName" xsi:type="Simple" sourceAttributeID="o">
+ <Dependency ref="staticAttributes" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" />
+ </AttributeDefinition>
+
+ <AttributeDefinition id="givenName" xsi:type="Simple" sourceAttributeID="givenName">
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" />
+ </AttributeDefinition>
+
+ <!-- Schema: inetOrgPerson attributes-->
+ <AttributeDefinition id="employeeType" xsi:type="Simple" sourceAttributeID="employeeType">
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" />
+ </AttributeDefinition>
+
+ <!-- Schema: eduPerson attributes -->
+
+ <AttributeDefinition id="mappedEduPersonEntitlement" xsi:type="Mapped" sourceAttributeID="memberOf" dependencyOnly="true">
+ <Dependency ref="myLDAPGROUPS" />
+ <ValueMap>
+ <ReturnValue>urn:x-ldapgroup:ndn-sysadmin</ReturnValue>
+ <SourceValue>cn=ndn-sysadmin,ou=groups,dc=nordu,dc=net</SourceValue>
+ </ValueMap>
+ <ValueMap>
+ <ReturnValue>urn:x-ldapgroup:ndn-netadmin</ReturnValue>
+ <SourceValue>cn=ndn-netadmin,ou=groups,dc=nordu,dc=net</SourceValue>
+ </ValueMap>
+ <ValueMap>
+ <ReturnValue>urn:x-ldapgroup:ndn-secadmin</ReturnValue>
+ <SourceValue>cn=ndn-secadmin,ou=groups,dc=nordu,dc=net</SourceValue>
+ </ValueMap>
+ </AttributeDefinition>
+
+ <AttributeDefinition id="eduPersonEntitlement" xsi:type="Simple" sourceAttributeID="staticeduPersonEntitlement">
+ <Dependency ref="mappedEduPersonEntitlement" />
+ <Dependency ref="staticAttributes" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" />
+ </AttributeDefinition>
+
+ <AttributeDefinition id="eduPersonPrimaryAffiliation" xsi:type="Simple" sourceAttributeID="eduPersonPrimaryAffiliation">
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" />
+ </AttributeDefinition>
+
+ <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid"><!-- In ndn it is uid+scope -->
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" />
+ <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" />
+ </AttributeDefinition>
+
+ <AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="employeeType">
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" />
+ <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" />
+ </AttributeDefinition>
+
+<!-- from swamid installer -->
+ <AttributeDefinition id="norEduOrgAcronym" xsi:type="Simple" sourceAttributeID="norEduOrgAcronym">
+ <Dependency ref="staticAttributes" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:norEduOrgAcronym" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.2428.90.1.6" friendlyName="norEduOrgAcronym" />
+ </AttributeDefinition>
+
+ <AttributeDefinition id="schacHomeOrganization" xsi:type="Simple" sourceAttributeID="schacHomeOrganization">
+ <Dependency ref="staticAttributes" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" />
+ </AttributeDefinition>
+
+ <AttributeDefinition id="schacHomeOrganizationType" xsi:type="Simple" sourceAttributeID="schacHomeOrganizationType">
+ <Dependency ref="staticAttributes" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" />
+ </AttributeDefinition>
+
+ <!-- If we want to use google apps at some point we need: friendlyCountryName, countryName and principal -->
+
+
+
+ <!-- ========================================== -->
+ <!-- Data Connectors -->
+ <!-- ========================================== -->
+
+ <!--
+ Example LDAP Connector
+
+ The connectivity details can be specified in ldap.properties to
+ share them with your authentication settings if desired.
+ -->
+ <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
+ ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+ baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
+ <FilterTemplate>
+ <![CDATA[
+ %{idp.attribute.resolver.LDAP.searchFilter}
+ ]]>
+ </FilterTemplate>
+ </DataConnector>
+ <DataConnector id="myLDAPGROUPS" xsi:type="LDAPDirectory"
+ ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+ baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
+ <FilterTemplate>
+ <![CDATA[
+ %{idp.attribute.resolver.LDAP.searchFilter}
+ ]]>
+ </FilterTemplate>
+ <ReturnAttributes>memberOf</ReturnAttributes>
+ </DataConnector>
+
+ <DataConnector id="staticAttributes" xsi:type="Static">
+ <Attribute id="o">
+ <Value>NORDUnet A/S</Value>
+ </Attribute>
+ <Attribute id="schacHomeOrganization">
+ <Value>nordu.net</Value>
+ </Attribute>
+ <Attribute id="schacHomeOrganizationType">
+ <Value>urn:schac:homeOrganizationType:int:NREN</Value>
+ </Attribute>
+ <Attribute id="norEduOrgAcronym">
+ <Value>NORDUNet</Value>
+ </Attribute>
+ <Attribute id="staticeduPersonEntitlement">
+ <Value>urn:mace:dir:entitlement:common-lib-terms</Value>
+ <Value>urn:mace:terena.org:tcs:escience-user</Value>
+ <Value>urn:mace:terena.org:tcs:personal-user</Value>
+ <Value>urn:mace:rediris.es:entitlement:wiki:tfemc2</Value>
+ <Value>urn:mace:swami.se:gmai:sunet-baas:admin</Value>
+ <Value>urn:mace:swami.se:gmai:sunet-iaas:admin</Value>
+ <Value>urn:mace:swami.se:gmai:sunet-iaas:user</Value>
+ </Attribute>
+ </DataConnector>
+
+ <!-- eduPersonTargetdID placeholder -->
+
+</AttributeResolver>
generated by cgit v1.1 at 2025-08-02 20:24:08 +0000