Example of a standard attribute resolver for Shibboleth IdP v5 and above
This is an example of a standard attribute resolver for SWAMID 2.0 in a Shibboleth IdP which contains definitions of alla attribute defined in SWAMID's Entity Category attribute release in SWAMID. Check the comments in the XML and replace any values as needed. Furthermore, check that you read the attributes from the correct data source.
The latest published SWAMID example standard resolver for Shibboleth Identity Provider is published at https://mds.swamid.se/entity-configurations/Shibboleth-IdP/v5
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is an EXAMPLE configuration file for use within the
SWAMID federation containing lots of example attributes, encoders,
and a couple of example data connectors.
Based on assumption that we are using AttributeRegistry for most of our attributes
Not all attribute definitions or data connectors are demonstrated, but
a variety of LDAP attributes, some common to Shibboleth deployments and
many not, are included.
Deployers should refer to the Identity Provider documentation
https://wiki.shibboleth.net/confluence/display/IDP4/AttributeResolverConfiguration
for a complete list of components and their options.
-->
<AttributeResolver
xmlns="urn:mace:shibboleth:2.0:resolver"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
<!-- ========================================== -->
<!-- Attribute Definitions -->
<!-- ========================================== -->
<!-- Simple attributes are exported directly from the LDAP connector. -->
<!-- Use this if the eduPersonPrincipalName is stored in myLDAP -->
<!--
<AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalName">
<InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalName"/>
</AttributeDefinition>
-->
<!-- Or this if you want a scoped eduPersonPrincipalName. Change the attributeNames as appropriate to your LDAP -->
<AttributeDefinition xsi:type="Scoped" id="eduPersonPrincipalName" scope="%{idp.scope}">
<InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}"/>
</AttributeDefinition>
<AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}">
<InputDataConnector ref="myLDAP" attributeNames="eduPersonAffiliation"/>
</AttributeDefinition>
<!-- filteredLDAPEduPersonAssurance script which checks if the user has AL2 or AL3 in LDAP and releases them together with appropriate similar RAF attributes -->
<!-- AL3 is only released if the SP has requested Refeds MFA authentication context -->
<!-- Output of this script must be used in the eduPersonAssurance attribute definition -->
<!-- NOTE WELL - You must ensure that you only release attribute values that your organisation has approval for! Read through this code and understand it fully before using it! -->
<AttributeDefinition id="filteredLDAPEduPersonAssurance" xsi:type="ScriptedAttribute">
<InputDataConnector ref="myLDAP" attributeNames="eduPersonAssurance"/>
<InputDataConnector ref="staticAttributes" attributeNames="allowedLDAPEduPersonAssurance"/>
<Script><![CDATA[
logger = Java.type("org.slf4j.LoggerFactory").getLogger("net.shibboleth.idp.attribute.resolver.eppnbuilder");
mfaPrincipalName = "https://refeds.org/profile/mfa";
al3Assurance = "http://www.swamid.se/policy/assurance/al3"
al2Assurance = "http://www.swamid.se/policy/assurance/al2"
rafMedium = "https://refeds.org/assurance/IAP/medium"
rafHigh = "https://refeds.org/assurance/IAP/high"
rafLocalEnterprise = "https://refeds.org/assurance/IAP/local-enterprise"
rafCappuccino = "https://refeds.org/assurance/profile/cappuccino"
rafEspresso = "https://refeds.org/assurance/profile/espresso"
try {
// Loop over the eduPersonAssurance values stored in the backend
for(i = 0; i < eduPersonAssurance.getValues().size(); i++)
{
value = eduPersonAssurance.getValues().get(i);
// Check value against the static attribute id allowLDAPEduPersonAssurance which contains the values we can process below
if (allowedLDAPEduPersonAssurance.getValues().contains(value))
{
// If the user has AL2 in our backend, we add AL2, rafLocalEnterprise and rafMedium to eduPersonAssurance.
// Change AL2 to the string you have in your LDAP
if (value == "AL2")
{
filteredLDAPEduPersonAssurance.addValue(al2Assurance);
filteredLDAPEduPersonAssurance.addValue(rafMedium);
filteredLDAPEduPersonAssurance.addValue(rafCappuccino);
filteredLDAPEduPersonAssurance.addValue(rafLocalEnterprise);
}
// If the user has AL3 in our backend...
// Change AL3 to the string you have in your LDAP
if (value == "AL3")
{
// Remove comment if eduPersonAssurance only contain the highest value
// filteredLDAPEduPersonAssurance.addValue(al2Assurance);
// filteredLDAPEduPersonAssurance.addValue(rafMedium);
// filteredLDAPEduPersonAssurance.addValue(rafCappuccino);
// filteredLDAPEduPersonAssurance.addValue(rafLocalEnterprise);
// Following ascertains if the SP has requested Refeds MFA
if (profileContext)
{
authenticationContext = profileContext.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
if(authenticationContext)
{
requestedPrincipalContext = authenticationContext.getSubcontext("net.shibboleth.idp.authn.context.RequestedPrincipalContext");
if(requestedPrincipalContext)
{
matchingPrincipal = requestedPrincipalContext.getMatchingPrincipal();
if (matchingPrincipal && matchingPrincipal.getName() == mfaPrincipalName)
{
// User is AL3 and we are logging in with MFA, release AL3 assurance, rafHigh and rafEspresso
filteredLDAPEduPersonAssurance.addValue(al3Assurance);
filteredLDAPEduPersonAssurance.addValue(rafHigh);
filteredLDAPEduPersonAssurance.addValue(rafEspresso);
}
}
}
}
}
}
}
} catch(err) {
// Put a warning in the logs, might be wrong in LDAP, or this script! The static variables will still be released.
logger.info("eduPersonAssurance not set in LDAP.");
}
]]>
</Script>
</AttributeDefinition>
<!-- eduPersonAssurance - output from script above together with the base RAF and AL1 that are always released -->
<!-- NOTE WELL: Your organisation must be approved for at least AL1 to use this! -->
<AttributeDefinition xsi:type="Simple" id="eduPersonAssurance">
<InputAttributeDefinition ref="filteredLDAPEduPersonAssurance" />
<InputDataConnector ref="staticAttributes" attributeNames="refedsAssuranceFramework assuranceLevel1"/>
</AttributeDefinition>
<!-- Schema: SCHema for ACademia (SCHAC) -->
<!-- This takes the norEduPersonNIN and returns the date of birth part. -->
<!-- Uncomment InputAttributeDefinition if norEduPersonNIN is generated by a script or InputDataConnector if it is an attribute in LDAP -->
<AttributeDefinition xsi:type="RegexSplit" id="schacDateOfBirth" regex="^((18|19|20)?[0-9]{2}((0[0-9])|(10|11|12))((([0-2][0-9])|(3[0-1]))|((6[1-9])|([7-8][0-9])|(9[0-1])))).*$">
<!-- <InputAttributeDefinition ref="norEduPersonNIN"/> -->
<!-- <InputDataConnector ref="myLDAP" attributeNames="norEduPersonNIN" /> -->
</AttributeDefinition>
<!-- This is a multi-value attribute that can be used for many use cases, for example the European Student Identifier (ESI). -->
<!-- If exists in LDAP you need to add it to exports in DataConnector id="myLDAP", then it will be picked up and handle by attributeRegistry -->
<!-- Alternative to above for when European Student Identifier (ESI) is not included in schacPersonalUniqueCode, uuid part is existing in another -->
<!-- LDAP attribute and needs to be concatenated with the first part of the string to form the complete schacPersonalUniqueCode. This example -->
<!-- simply uses the fictional attribute ExterntStudentUID. This needs to be changed in three places to the attribute you are actually using! -->
<!--
<AttributeDefinition xsi:type="ScriptedAttribute" id="schacPersonalUniqueCode">
<InputDataConnector ref="myLDAP" attributeNames="ExterntStudentUID" />
<Script>
<![CDATA[
logger = Java.type("org.slf4j.LoggerFactory").getLogger("net.shibboleth.idp.attribute.resolver.eppnbuilder");
try {
if (ExterntStudentUID) {
value=ExterntStudentUID.getValues().get(0);
if (value != null) {
schacPersonalUniqueCode.getValues().add("urn:schac:personalUniqueCode:int:esi:ladok.se:externtstudentuid-" + value);
}
}
} catch (err) {
logger.info("Error: " + err);
}
]]>
</Script>
</AttributeDefinition>
-->
<!-- Static Attributes -->
<!-- Not configured in attributes/inetOrgPerson.xml -->
<!-- configued here instead of creating a new file -->
<AttributeDefinition xsi:type="Simple" id="co">
<InputDataConnector ref="staticAttributes" attributeNames="co"/>
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:co" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.43" friendlyName="co" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="c">
<InputDataConnector ref="staticAttributes" attributeNames="c"/>
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:c" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.6" friendlyName="c" encodeType="false" />
</AttributeDefinition>
<!-- Schema: SAML Subject ID Attributes -->
<AttributeDefinition xsi:type="Scoped" id="samlSubjectID" scope="%{idp.scope}">
<InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}"/>
</AttributeDefinition>
<!-- Schema: SAML Subject ID Attributes (alternative example) -->
<!-- Use this if your idp.persistentId.sourceAttribute contains invalid characters like underscore or full stop (period).
<AttributeDefinition id="preSamlSubjectID" xsi:type="ScriptedAttribute">
<InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}"/>
<Script><![CDATA[
logger = Java.type("org.slf4j.LoggerFactory").getLogger("net.shibboleth.idp.attribute.resolver.eppnbuilder");
// Script to replace underscore with %5F
try {
// If idp.persistentId.sourceAttribute is not uid, then you need to amend the content of the script
source=uid.getValues().get(0);
source=source.replaceAll("_", "=5F");
source=source.replaceAll("[\.]", "=2E");
preSamlSubjectID.getValues().add(source);
}
catch(err) {
logger.info("Error: " + err);
}
]]>
</Script>
</AttributeDefinition>
<AttributeDefinition xsi:type="Scoped" id="samlSubjectID" scope="%{idp.scope}">
<InputAttributeDefinition ref="preSamlSubjectID" />
</AttributeDefinition>
-->
<AttributeDefinition xsi:type="Scoped" id="samlPairwiseID" scope="%{idp.scope}">
<InputDataConnector ref="computed" attributeNames="computedId"/>
</AttributeDefinition>
<!-- Deprecated SWAMID eduPersonTargetedID -->
<AttributeDefinition xsi:type="SAML2NameID" id="eduPersonTargetedID" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
<InputDataConnector ref="StoredId" attributeNames="persistentId"/>
</AttributeDefinition>
<!-- Swedish eID Framework, personalIdentityNumber. Release norEduPersonNIN if it only contains numbers (filter out interim numbers) -->
<!-- Uncomment InputAttributeDefinition if norEduPersonNIN is generated by a script or InputDataConnector if it is an attribute in LDAP -->
<AttributeDefinition xsi:type="RegexSplit" id="personalIdentityNumber" regex="^((18|19|20)?[0-9]{2}((0[0-9])|(10|11|12))((([0-2][0-9])|(3[0-1]))|((6[1-9])|([7-8][0-9])|(9[0-1])))[0-9]{4})$">
<!-- <InputAttributeDefinition ref="norEduPersonNIN"/> -->
<!-- <InputDataConnector ref="myLDAP" attributeNames="norEduPersonNIN" /> -->
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:personalIdentityNumber" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.2.752.29.4.13" friendlyName="personalIdentityNumber" encodeType="false" />
</AttributeDefinition>
<!-- ========================================== -->
<!-- Data Connectors -->
<!-- ========================================== -->
<!-- Example Static Connector -->
<DataConnector id="staticAttributes" xsi:type="Static"
exportAttributes="o norEduOrgAcronym schacHomeOrganization schacHomeOrganizationType">
<Attribute id="o">
<Value>ORGANIZATION_NAME</Value>
</Attribute>
<Attribute id="norEduOrgAcronym">
<Value>ORGANIZATION_ACRONYM</Value>
</Attribute>
<Attribute id="c">
<Value>ISO_COUNTRY_CODE</Value>
</Attribute>
<Attribute id="co">
<Value>ISO_COUNTRY_NAME</Value>
</Attribute>
<Attribute id="schacHomeOrganization">
<Value>SCHAC_HOME_ORG_DOMAIN_NAME</Value>
</Attribute>
<Attribute id="schacHomeOrganizationType">
<Value>urn:schac:homeOrganizationType:eu:higherEducationInstitution</Value>
<!-- This value is for EU higher education institution, other allowed values are:
- urn:schac:homeOrganizationType:eu:educationInstitution
- urn:schac:homeOrganizationType:int:NREN
- urn:schac:homeOrganizationType:int:universityHospital
- urn:schac:homeOrganizationType:int:NRENAffiliate
- urn:schac:homeOrganizationType:int:other
-->
</Attribute>
<!-- Refeds Assurance Framework and eduPersonAssurance -->
<!-- Use following in conjunction with scripted attribute filteredEduPersonAssurance -->
<!-- Add the strings that you use in your LDAP -->
<Attribute id="allowedLDAPEduPersonAssurance">
<Value>http://www.swamid.se/policy/assurance/al2</Value>
<Value>http://www.swamid.se/policy/assurance/al3</Value>
<Value>AL2</Value>
<Value>AL3</Value>
</Attribute>
<!-- Use following in conjunction with attribute eduPersonAssurance -->
<Attribute id="assuranceLevel1">
<Value>http://www.swamid.se/policy/assurance/al1</Value>
<Value>https://refeds.org/assurance/IAP/low</Value>
</Attribute>
<!-- Refeds Assurance Framework static value, used in conjunction with scripted attribute filteredEduPersonAssurance -->
<Attribute id="refedsAssuranceFramework">
<Value>https://refeds.org/assurance</Value>
<Value>https://refeds.org/assurance/ID/unique</Value>
<Value>https://refeds.org/assurance/ID/eppn-unique-no-reassign</Value>
<Value>https://refeds.org/assurance/ATP/ePA-1m</Value>
</Attribute>
</DataConnector>
<DataConnector id="StoredId"
xsi:type="StoredId"
generatedAttributeID="persistentId"
salt="%{idp.persistentId.salt}">
<InputAttributeDefinition ref="%{idp.persistentId.sourceAttribute}"/>
<BeanManagedConnection>MyGlobalDataSource</BeanManagedConnection>
</DataConnector>
<DataConnector id="myLDAP" xsi:type="LDAPDirectory"
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
principal="%{idp.attribute.resolver.LDAP.bindDN}"
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
exportAttributes="mail displayName sn givenName uid eduPersonAffiliation norEduPersonNIN">
<FilterTemplate>
<![CDATA[
%{idp.attribute.resolver.LDAP.searchFilter}
]]>
</FilterTemplate>
</DataConnector>
<!-- Example Relational Database Connector -->
<!--
<DataConnector id="mySIS" xsi:type="RelationalDatabase">
<ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver"
jdbcURL="jdbc:oracle:thin:@db.example.org:1521:SomeDB"
jdbcUserName="myid"
jdbcPassword="mypassword" />
<QueryTemplate>
<![CDATA[
SELECT * FROM student WHERE gzbtpid = '$resolutionContext.principal'
]]>
</QueryTemplate>
<Column columnName="gzbtpid" attributeID="uid" />
<Column columnName="fqlft" attributeID="gpa" />
</DataConnector>
-->
<!-- Example LDAP Connector -->
<!--
<DataConnector id="myLDAP" xsi:type="LDAPDirectory"
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
principal="%{idp.attribute.resolver.LDAP.bindDN}"
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
startTLSTimeout="%{idp.attribute.resolver.LDAP.startTLSTimeout}"
connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"
connectionStrategy="%{idp.attribute.resolver.LDAP.connectionStrategy}"
noResultIsError="true"
multipleResultsIsError="true"
excludeResolutionPhases="c14n/attribute"
exportAttributes="mail displayName sn givenName departmentNumber employeeNumber eduPersonEntitlement eduPersonAssurance">
<FilterTemplate>
<![CDATA[
%{idp.attribute.resolver.LDAP.searchFilter}
]]>
</FilterTemplate>
<ConnectionPool
minPoolSize="%{idp.pool.LDAP.minSize:3}"
maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
validateDN="%{idp.pool.LDAP.validateDN:}"
validateOnCheckout="%{idp.pool.LDAP.validateOnCheckout:false}"
validateFilter="%{idp.pool.LDAP.validateFilter:(objectClass=*)}"
prunePeriod="%{idp.pool.LDAP.prunePeriod:PT5M}"
expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"/>
</DataConnector>
-->
<!-- DataConnector for pairwise-id (example depends on saml-nameid.properties). -->
<DataConnector id="computed" xsi:type="ComputedId"
excludeResolutionPhases="c14n/attribute"
generatedAttributeID="computedId"
salt="%{idp.persistentId.salt}"
algorithm="%{idp.persistentId.algorithm:SHA}"
encoding="%{idp.persistentId.encoding:BASE32}">
<InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}" />
</DataConnector>
</AttributeResolver>
Contact us
Please contact service manager Pål Axelsson, pax@sunet.se