Page tree
Skip to end of metadata
Go to start of metadata

One approach to removing the realm from the Principal name returned by Kerberos

Credit should be given to Paul Caskey who provided this approach in July, 2008. There are likely other approaches, but this does work.

In the attribute-resolver.xml file, you first define the principal as an attribute:

        <!-- this attribute just returns the username as logged in via JAAS -->
        <resolver:AttributeDefinition id="principal" xsi:type="PrincipalName" 
           dependencyOnly="true" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
             <resolver:AttributeEncoder xsi:type="SAML2StringNameID"         
                xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
        </resolver:AttributeDefinition>

Then, strip out the username/uid portion of the principal using the regex split attribute definition:

        <!-- This attribute is the above principal name with the kerb realm
             (e.g. CAMPUS.EDU) split out via regex -->
        <resolver:AttributeDefinition xsi:type="RegexSplit" dependencyOnly="true"
           xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="regex_principal_split"
           sourceAttributeID="principal" regex="^(.*?)@CAMPUS.EDU$">
              <resolver:Dependency ref="principal" />
        </resolver:AttributeDefinition>

Finally, you change your LDAP connector filter to look like the following. Note that adding the resolver:Dependency before the FilterTemplate is critical, because otherwise the "regex_principal_split" will not be interpreted correctly in the CDATA section.

        <resolver:Dependency ref="regex_principal_split" />

        <FilterTemplate>
            <![CDATA[
                (uid=${regex_principal_split.get(0)})
            ]]>
        </FilterTemplate>
  • No labels