Page tree

The Shibboleth 2.x software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP30 and SP3 wiki spaces for current documentation on the supported versions.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

Script Attribute Definition Examples

The following examples are simply that, examples. They do not illustrate all possible configuration properties or features. Refer to script attribute definition for this information.

Generate Unique Opaque Identifier

Contributed by: Lukas Haemmerle, SWITCH, Switzerland

This example generates an unique, opaque, identifier based off of an identifier from another attribute. This is approach is useful when an opaque identifier is necessary but is not available in the user data store.

 Show Example
<resolver:AttributeDefinition xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                              id="swissEduPersonUniqueID"
                              sourceAttributeID="uidNumber">

    <!-- Dependency that provides the source attribute. -->
    <resolver:Dependency ref="myLDAP" />

    <!-- SAML 1 and 2 encoders for the attribute. -->
    <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                               name="urn:mace:switch.ch:attribute-def:swissEduPersonUniqueID" />
    <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                               name="urn:oid:2.16.756.1.2.5.1.1.1"
                               friendlyName="swissEduPersonUniqueID" />

    <!-- The script, wrapped in a CDATA section so that special XML characters don't need to be removed -->
    <Script><![CDATA[
        // Import Shibboleth attribute provider
        importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);

        // Import Apache commons codecs
        importPackage(Packages.org.apache.commons.codec.digest);

        // Get the unique value
        uniqueValue = uidNumber.getValues().get(0) + "some#salt#value#12345679";

        // Create md5 value
        localpart = DigestUtils.md5Hex(uniqueValue);

        // Get attribute to add
        swissEduPersonUniqueID = new BasicAttribute("swissEduPersonUniqueID");

        // Prepend unique and pseudo-random localpart to domain name
        swissEduPersonUniqueID.getValues().add(localpart + "@switch.ch");
    ]]></Script>
</resolver:AttributeDefinition>

Generate Affiliation based on Groups

Contributed by: Halm Reusser, SWITCH, Switzerland

This example demonstrates the generation of values for the eduPersonAffiliation attribute based on the group membership attribute memberOf.

Group membership in many LDAP directories is carried in the memberOf attribute. In Novell's eDirectory it is carried in the groupMembership attribute.

 Show Example
<resolver:AttributeDefinition xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                              id="eduPersonAffiliation"
	                      sourceAttributeID="eduPersonAffiliation">

    <!-- Dependency that provides the source attribute. -->
    <resolver:Dependency ref="myLDAP" />

    <!-- SAML 1 and 2 encoders for the attribute. -->
    <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
		               name="urn:mace:dir:attribute-def:eduPersonAffiliation" />
    <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
		               name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
                               friendlyName="eduPersonAffiliation" />

    <!-- The script, wrapped in a CDATA section so that special XML characters don't need to be removed -->
    <Script><![CDATA[
        importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);

        // Create attribute to be returned from definition
        eduPersonAffiliation = new BasicAttribute("eduPersonAffiliation");

        // Add at least one value
        eduPersonAffiliation.getValues().add("affiliate");

        // If the user has group membership
        if (typeof memberOf != "undefined" && memberOf != null ){
            // The go through each group membership and add the appropriate affiliation
            // The IdP will remove duplicate values so we don't need to worry about that here
            for ( i = 0; memberOf != null && i < memberOf.getValues().size(); i++ ){
                value = memberOf.getValues().get(i);

                if (value.indexOf("OU=Students") > 0){
                    eduPersonAffiliation.getValues().add("student");
                }

                if (value.indexOf("OU=Teachers") > 0){
                    eduPersonAffiliation.getValues().add("faculty");
                    eduPersonAffiliation.getValues().add("staff");
                }

                if (value.indexOf("OU=Staff") > 0){
                    eduPersonAffiliation.getValues().add("staff");
                }
            }
        }
    ]]></Script>
</resolver:AttributeDefinition>

Add common-lib-terms to all Staff and Students

Contributed by: Halm Reusser, SWITCH, Switzerland

This example adds the common-lib-terms URN to the eduPersonEntitlement attribute for a principal with affiliation staff or student while keeping any entitlement values retrieved from the directory.

 Show Example
<resolver:AttributeDefinition xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                              id="eduPersonEntitlement"
                              sourceAttributeID="eduPersonEntitlement">

    <!-- Dependency that provides the source attribute. -->
    <resolver:Dependency ref="myLDAP" />
    <resolver:Dependency ref="eduPersonAffiliation" />

    <!-- SAML 1 and 2 encoders for the attribute. -->
    <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                               name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                                   name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
                                   friendlyName="eduPersonEntitlement" />

    <!-- The script, wrapped in a CDATA section so that special XML characters don't need to be removed -->
    <Script><![CDATA[
        importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);

        // Create attribute to be returned from definition
        if (eduPersonEntitlement == null) eduPersonEntitlement = new BasicAttribute("eduPersonEntitlement");

        if (eduPersonAffiliation.getValues().contains("staff") ||
                eduPersonAffiliation.getValues().contains("student")) {
            eduPersonEntitlement.getValues().add("urn:mace:dir:entitlement:common-lib-terms");
        }
    ]]></Script>
</resolver:AttributeDefinition>
  • No labels