Scripted Affiliation in Attribute Resolver
The scripted attribute for the eduPersonScopedAffiliation and eduPersonAffiliation attributes has been distributed previously, we have deprecated this in favour of using a Mapped attribute see Mapped Affiliation in Attribute Resolver in our guides and will shortly remove this page.
In some circumstances the Affiliation values required for eduPersonScopedAffilation and eduPersonAffilation. are not available within the organisation directory service, and it maybe more straight forward to configured using a scripted attribute to generate these based on membership of an OrganizationalUnit (OU) or Container (CN).
Examples of scripted attributes have been distributed previously, this version has been updated to work with Shibboleth 3.3.0 onwards with Java 1.8 with the Rhino engine. It is based on the Resolver Script Attribute Definition examples
The following are two AttributeDefinitions on each for eduPersonScopedAffilation and eduPersonAffilation.
<AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}"
sourceAttributeID="AffiliationusingDN">
<Dependency ref="AffiliationusingDN" />
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1ScopedString"
name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
encodeType="false" />
<AttributeEncoder xsi:type="SAML2ScopedString"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
friendlyName="eduPersonScopedAffiliation"
encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="eduPersonAffiliation"
sourceAttributeID="AffiliationusingDN">
<Dependency ref="AffiliationusingDN" />
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String"
name="urn:mace:dir:attribute-def:eduPersonAffiliation"
encodeType="false" />
<AttributeEncoder xsi:type="SAML2String"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
friendlyName="eduPersonAffiliation"
encodeType="false" />
</AttributeDefinition>
The following is a ScriptedAttribute to retrieve the affiliations from the dn or distinguishedName in LDAP.
Note;
- That you may need to update your
ldap.propertiesto includedistinguishedNameinidp.attribute.resolver.LDAP.returnAttributes - You should update the highlighted sections as appropriate to the OrganizationalUnit (OU) or Container (CN) in your LDAP Directory.
<AttributeDefinition xsi:type="ScriptedAttribute" id="AffiliationusingDN">
<Dependency ref="myLDAP" />
<Script><![CDATA[
load("nashorn:mozilla_compat.js");
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
var dn = distinguishedName.getValues().get(0);
if (dn.contains("OU=Students")) {
AffiliationusingDN.getValues().add("student");
AffiliationusingDN.getValues().add("member");
} else if (dn.contains("OU=Staff")) {
AffiliationusingDN.getValues().add("staff");
AffiliationusingDN.getValues().add("member");
} else if (dn.contains("OU=IT")) {
AffiliationusingDN.getValues().add("staff");
AffiliationusingDN.getValues().add("member");
} else if (dn.contains("OU=Admin")) {
AffiliationusingDN.getValues().add("staff");
AffiliationusingDN.getValues().add("member");
}
else {
AffiliationusingDN.getValues().add("affiliate");
};
]]></Script>
</AttributeDefinition>