idp/templates/config/attribute-resolver.xml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220

<?xml version="1.0" encoding="UTF-8"?>
<!--
    This file is an EXAMPLE configuration file. While the configuration
    presented in this example file is semi-functional, it isn't very
    interesting. It is here only as a starting point for your deployment
    process.

    Very few attribute definitions and data connectors are demonstrated,
    and the data is derived statically from the logged-in username and a
    static example connector.

    Attribute-resolver-full.xml contains more examples of attributes,
    encoders, and data connectors. Deployers should refer to the Shibboleth
    documentation for a complete list of components and their options.

    NOTE: This file is from the Nordunet template-config

-->
<AttributeResolver
  xmlns="urn:mace:shibboleth:2.0:resolver"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">


  <!-- ========================================== -->
  <!--      Attribute Definitions                 -->
  <!-- ========================================== -->

  <!--
    The EPPN is the "standard" federated username in higher ed.
    For guidelines on the implementation of this attribute, refer
    to the Shibboleth and eduPerson documentation. Above all, do
    not expose a value for this attribute without considering the
    long term implications.
    -->
    <!--
    The uid is the closest thing to a "standard" LDAP attribute
    representing a local username, but you should generally *never*
    expose uid to federated services, as it is rarely globally unique.
    -->
    <AttributeDefinition id="uid" xsi:type="Simple" sourceAttributeID="uid">
      <Dependency ref="myLDAP" />
      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" />
      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" />
    </AttributeDefinition>

    <!--
    In the rest of the world, the email address is the standard identifier,
    despite the problems with that practice. Consider making the EPPN value
    the same as your official email addresses whenever possible.
    -->
    <AttributeDefinition id="mail" xsi:type="Simple" sourceAttributeID="mail">
      <Dependency ref="myLDAP" />
      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" />
      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
    </AttributeDefinition>

    <AttributeDefinition id="email" xsi:type="Simple" sourceAttributeID="mail">
      <Dependency ref="myLDAP" />
      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" />
      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
    </AttributeDefinition>

    <AttributeDefinition id="commonName" xsi:type="Simple" sourceAttributeID="cn">
      <Dependency ref="myLDAP" />
      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:cn" />
      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" />
    </AttributeDefinition>

    <AttributeDefinition id="displayName" xsi:type="Simple" sourceAttributeID="cn"><!-- yes for ndn ldap this is correct -->
      <Dependency ref="myLDAP" />
      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" />
      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" />
    </AttributeDefinition>

    <AttributeDefinition id="surname" xsi:type="Simple" sourceAttributeID="sn">
      <Dependency ref="myLDAP" />
      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" />
      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" />
    </AttributeDefinition>

    <AttributeDefinition id="organizationName" xsi:type="Simple" sourceAttributeID="o">
      <Dependency ref="staticAttributes" />
      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" />
      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" />
    </AttributeDefinition>

    <AttributeDefinition id="givenName" xsi:type="Simple" sourceAttributeID="givenName">
      <Dependency ref="myLDAP" />
      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" />
      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" />
    </AttributeDefinition>

    <!-- Schema: inetOrgPerson attributes-->
    <AttributeDefinition id="employeeType" xsi:type="Simple" sourceAttributeID="employeeType">
      <Dependency ref="myLDAP" />
      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" />
      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" />
    </AttributeDefinition>

    <!-- Schema: eduPerson attributes -->

    <AttributeDefinition id="mappedEduPersonEntitlement" xsi:type="Mapped" sourceAttributeID="memberOf" dependencyOnly="true">
      <Dependency ref="myLDAPGROUPS" />
      <ValueMap>
        <ReturnValue>urn:x-ldapgroup:ndn-sysadmin</ReturnValue>
        <SourceValue>cn=ndn-sysadmin,ou=groups,dc=nordu,dc=net</SourceValue>
      </ValueMap>
      <ValueMap>
        <ReturnValue>urn:x-ldapgroup:ndn-netadmin</ReturnValue>
        <SourceValue>cn=ndn-netadmin,ou=groups,dc=nordu,dc=net</SourceValue>
      </ValueMap>
      <ValueMap>
        <ReturnValue>urn:x-ldapgroup:ndn-secadmin</ReturnValue>
        <SourceValue>cn=ndn-secadmin,ou=groups,dc=nordu,dc=net</SourceValue>
      </ValueMap>
    </AttributeDefinition>

    <AttributeDefinition id="eduPersonEntitlement" xsi:type="Simple" sourceAttributeID="staticeduPersonEntitlement">
      <Dependency ref="mappedEduPersonEntitlement" />
      <Dependency ref="staticAttributes" />
      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" />
    </AttributeDefinition>

    <AttributeDefinition id="eduPersonPrimaryAffiliation" xsi:type="Simple" sourceAttributeID="eduPersonPrimaryAffiliation">
      <Dependency ref="myLDAP" />
      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" />
      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" />
    </AttributeDefinition>

    <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid"><!-- In ndn it is uid+scope -->
      <Dependency ref="myLDAP" />
      <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" />
      <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" />
    </AttributeDefinition>

    <AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="employeeType">
      <Dependency ref="myLDAP" />
      <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" />
      <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" />
    </AttributeDefinition>

<!-- from swamid installer -->
  <AttributeDefinition id="norEduOrgAcronym" xsi:type="Simple" sourceAttributeID="norEduOrgAcronym">
    <Dependency ref="staticAttributes" />
    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:norEduOrgAcronym" />
    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.2428.90.1.6" friendlyName="norEduOrgAcronym" />
  </AttributeDefinition>

  <AttributeDefinition id="schacHomeOrganization" xsi:type="Simple" sourceAttributeID="schacHomeOrganization">
    <Dependency ref="staticAttributes" />
    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" />
    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" />
  </AttributeDefinition>

  <AttributeDefinition id="schacHomeOrganizationType" xsi:type="Simple" sourceAttributeID="schacHomeOrganizationType">
    <Dependency ref="staticAttributes" />
    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" />
    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" />
  </AttributeDefinition>

  <!-- If we want to use google apps at some point we need: friendlyCountryName, countryName and principal -->


  <!-- ========================================== -->
  <!--      Data Connectors                       -->
  <!-- ========================================== -->

  <!--
    Example LDAP Connector

    The connectivity details can be specified in ldap.properties to
    share them with your authentication settings if desired.
    -->
    <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
      ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
      baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
      <FilterTemplate>
        <![CDATA[
        %{idp.attribute.resolver.LDAP.searchFilter}
        ]]>
      </FilterTemplate>
    </DataConnector>
    <DataConnector id="myLDAPGROUPS" xsi:type="LDAPDirectory"
      ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
      baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
      <FilterTemplate>
        <![CDATA[
        %{idp.attribute.resolver.LDAP.searchFilter}
        ]]>
      </FilterTemplate>
      <ReturnAttributes>memberOf</ReturnAttributes>
    </DataConnector>

    <DataConnector id="staticAttributes" xsi:type="Static">
      <Attribute id="o">
        <Value>NORDUnet A/S</Value>
      </Attribute>
      <Attribute id="schacHomeOrganization">
        <Value>nordu.net</Value>
      </Attribute>
      <Attribute id="schacHomeOrganizationType">
        <Value>urn:schac:homeOrganizationType:int:NREN</Value>
      </Attribute>
      <Attribute id="norEduOrgAcronym">
        <Value>NORDUnet</Value>
      </Attribute>
      <Attribute id="staticeduPersonEntitlement">
        <Value>urn:mace:dir:entitlement:common-lib-terms</Value>
        <Value>urn:mace:terena.org:tcs:escience-user</Value>
        <Value>urn:mace:terena.org:tcs:personal-user</Value>
        <Value>urn:mace:rediris.es:entitlement:wiki:tfemc2</Value>
      </Attribute>
    </DataConnector>

  <!-- eduPersonTargetdID placeholder -->

</AttributeResolver>