...
### orcid.org
$TransformRules = [Ordered]@{}
$TransformRules.eduPersonUniqueID = $AllTransformRules.eduPersonUniqueID
$IssuanceTransformRuleManualSP["https://orcid.org/saml2/sp/1"] = $TransformRules
###
Digicert
Sectigo (Cert-manager)
Sectigo needs eduPersonEntitlement = urn:mace:terena.org:tcs:personal-user for all AL2 users.
Below is an example where the AL2 is retrieved from an AD group. Change the code based on how AL2 is stored in your institution.
### Cert-manager (Sectigo)
### Digicert
$TransformRules = [Ordered]@{}
$TransformRules[".eduPersonPrincipalName"] = $AllTransformRules[".eduPersonPrincipalName"]
$TransformRules[".displayName"] = $AllTransformRules["displayName"]
$TransformRules["mail"] = $AllTransformRules["mail"]
$TransformRules["schacHomeOrganization"] = $AllTransformRules["schacHomeOrganization"]
$TransformRules["eduPersonEntitlement"] = $AllTransformRules["eduPersonEntitlement"]
.displayName
$TransformRules.givenName = $AllTransformRules.givenName
$TransformRules.mail = $AllTransformRules.mail
$TransformRules.sn = $AllTransformRules.sn
$TransformRules.schacHomeOrganization = $AllTransformRules.schacHomeOrganization
$TransformRules.eduPersonEntitlement = [PSCustomObject]@{
Rule=@"
@RuleName = "Set eduPersonEntitlement for AL2 users"
c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value == "<group name containing all AL2 users>"]
=> issue(Type = "urn:oid:1.3.6.1.4.1.5923.1.1.1.7", Value = "urn:mace:terena.org:tcs:personal-user", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
"@
Attribute="http://schemas.xmlsoap.org/claims/Group"
}
$IssuanceTransformRuleManualSP["https://wwwcert-manager.digicert.com/ssoshibboleth"] = $TransformRules
###
You also need to the following changes to the SP in the AD FS Management Console:
...
###
InAcademia
### Inacademia
$TransformRules = [Ordered]@{}
$TransformRules.transientid = [PSCustomObject]@{
Rule=@"
@RuleName = "synthesize persistent-id"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"]
=> add(store = "_OpaqueIdStore", types = ("urn:adfstk:persistentid"), query = "{0};{1};{2}", param = "ppid", param = c.Value, param = c.OriginalIssuer);
@RuleName = "issue persistent-id"
c:[Type == "urn:adfstk:persistentid"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Issuer = c.Issuer,
OriginalIssuer = c.OriginalIssuer,
Value = c.Value, ValueType = c.ValueType,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "[ReplaceWithSPNameQualifier]",
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://$($Settings.configuration.StaticValues.ADFSExternalDNS)");
"@
Attribute=""
}
$IssuanceTransformRuleManualSP["https://inacademia.org/metadata/inacademia-simple-validation.xml"] = $TransformRules
###
...