Mapped Affiliation in Attribute Resolver
In some circumstances the Affiliation values required for eduPersonScopedAffilation and eduPersonAffilation are not available within the organisation directory service, and it maybe more straight forward to configure them using either a scripted attribute or an attribute map based on the OrganizationalUnit (OU) or Container (CN) of the user object.
Alternatively, if LDAP/Active Directory Groups are already in use for such classification, then using those is also possible (see Shibboleth Wiki: LDAP Nested Groups for details).
Examples of scripted attributes have been distributed previously, we have deprecated the Scripted Affiliation in favour of the following example:
The following are one AttributeDefinitions on each for eduPersonScopedAffilation which is dependant on eduPersonAffilation and we will configure the attribute map within that attribute.
<AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}">
<InputAttributeDefinition ref="eduPersonAffiliation"/>
<AttributeEncoder xsi:type="SAML1ScopedString"
name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
encodeType="false" />
<AttributeEncoder xsi:type="SAML2ScopedString"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
friendlyName="eduPersonScopedAffiliation"
encodeType="false" />
</AttributeDefinition>
The following is the eduPersonAffiliation attribute, we'll use an attribute of type Mapped to retrieve the affiliations from the dn or distinguishedName in LDAP.
Note:
- That you may need to update your
ldap.propertiesto includedistinguishedNameinidp.attribute.resolver.LDAP.returnAttributes - You should update the highlighted sections as appropriate to the OrganizationalUnit (OU) or Container (CN) in your LDAP Directory, in here we've used a partial match in
<SourceValue>, but you may prefer a more complete match e.g..*CN=Staff,DC=camford,DC=ac,DC=uk$
<AttributeDefinition xsi:type="Mapped" id="eduPersonAffiliation">
<InputDataConnector attributeNames="distinguishedName" ref="myLDAP"/>
<AttributeEncoder xsi:type="SAML1String"
name="urn:mace:dir:attribute-def:eduPersonAffiliation"
encodeType="false"/>
<AttributeEncoder xsi:type="SAML2String"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
friendlyName="eduPersonAffiliation"
encodeType="false"/>
<DefaultValue>affiliate</DefaultValue>
<ValueMap>
<ReturnValue>student</ReturnValue>
<SourceValue partialMatch="true">OU=Students</SourceValue>
</ValueMap>
<ValueMap>
<ReturnValue>member</ReturnValue>
<SourceValue partialMatch="true">OU=Students</SourceValue>
</ValueMap>
<ValueMap>
<ReturnValue>staff</ReturnValue>
<SourceValue partialMatch="true">OU=Staff</SourceValue>
</ValueMap>
<ValueMap>
<ReturnValue>member</ReturnValue>
<SourceValue partialMatch="true">OU=Staff</SourceValue>
</ValueMap>
<ValueMap>
<ReturnValue>staff</ReturnValue>
<SourceValue partialMatch="true">OU=IT</SourceValue>
</ValueMap>
<ValueMap>
<ReturnValue>member</ReturnValue>
<SourceValue partialMatch="true">OU=IT</SourceValue>
</ValueMap>
<ValueMap>
<ReturnValue>staff</ReturnValue>
<SourceValue partialMatch="true">OU=Admin</SourceValue>
</ValueMap>
<ValueMap>
<ReturnValue>member</ReturnValue>
<SourceValue partialMatch="true">OU=Admin</SourceValue>
</ValueMap>
</AttributeDefinition>