Script Attribute Definition Examples
The following examples are simply that, examples. They do not illustrate all possible configuration properties or features. Refer to script attribute definition for this information.
Generate Unique Opaque Identifier
Contributed by: Lukas Haemmerle, SWITCH, Switzerland
This example generates an unique, opaque, identifier based off of an identifier from another attribute. This is approach is useful when an opaque identifier is necessary but is not available in the user data store.
<resolver:AttributeDefinition xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
id="swissEduPersonUniqueID"
sourceAttributeID="uidNumber">
<!-- Dependency that provides the source attribute. -->
<resolver:Dependency ref="myLDAP" />
<!-- SAML 1 and 2 encoders for the attribute. -->
<resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:switch.ch:attribute-def:swissEduPersonUniqueID" />
<resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:2.16.756.1.2.5.1.1.1"
friendlyName="swissEduPersonUniqueID" />
<!-- The script, wrapped in a CDATA section so that special XML characters don't need to be removed -->
<Script><![CDATA[
// Import Shibboleth attribute provider
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
// Import Apache commons codecs
importPackage(Packages.org.apache.commons.codec.digest);
// Get the unique value
uniqueValue = uidNumber.getValues().get(0) + "some#salt#value#12345679";
// Create md5 value
localpart = DigestUtils.md5Hex(uniqueValue);
// Get attribute to add
swissEduPersonUniqueID = new BasicAttribute("swissEduPersonUniqueID");
// Prepend unique and pseudo-random localpart to domain name
swissEduPersonUniqueID.getValues().add(localpart + "@switch.ch");
]]></Script>
</resolver:AttributeDefinition>
|
|
Generate Affiliation based on Groups
Contributed by: Halm Reusser, SWITCH, Switzerland
This example demonstrates the generation of values for the eduPersonAffiliation attribute based on the group membership attribute memberOf.
Group membership in many LDAP directories is carried in the memberOf attribute. In Novell's eDirectory it is carried in the groupMembership attribute. |
<resolver:AttributeDefinition xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
id="eduPersonAffiliation"
sourceAttributeID="eduPersonAffiliation">
<!-- Dependency that provides the source attribute. -->
<resolver:Dependency ref="myLDAP" />
<!-- SAML 1 and 2 encoders for the attribute. -->
<resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:eduPersonAffiliation" />
<resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
friendlyName="eduPersonAffiliation" />
<!-- The script, wrapped in a CDATA section so that special XML characters don't need to be removed -->
<Script><![CDATA[
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
// Create attribute to be returned from definition
eduPersonAffiliation = new BasicAttribute("eduPersonAffiliation");
// Add at least one value
eduPersonAffiliation.getValues().add("affiliate");
// If the user has group membership
if (typeof memberOf != "undefined" && memberOf != null ){
// The go through each group membership and add the appropriate affiliation
// The IdP will remove duplicate values so we don't need to worry about that here
for ( i = 0; memberOf != null && i < memberOf.getValues().size(); i++ ){
value = memberOf.getValues().get(i);
if (value.indexOf("OU=Students") > 0){
eduPersonAffiliation.getValues().add("student");
}
if (value.indexOf("OU=Teachers") > 0){
eduPersonAffiliation.getValues().add("faculty");
eduPersonAffiliation.getValues().add("staff");
}
if (value.indexOf("OU=Staff") > 0){
eduPersonAffiliation.getValues().add("staff");
}
}
}
]]></Script>
</resolver:AttributeDefinition>
|
|
Add common-lib-terms to all Staff and Students
Contributed by: Halm Reusser, SWITCH, Switzerland
This example adds the common-lib-terms URN to the eduPersonEntitlement attribute for a principal with affiliation staff or student while keeping any entitlement values retrieved from the directory.
<resolver:AttributeDefinition xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
id="eduPersonEntitlement"
sourceAttributeID="eduPersonEntitlement">
<!-- Dependency that provides the source attribute. -->
<resolver:Dependency ref="myLDAP" />
<resolver:Dependency ref="eduPersonAffiliation" />
<!-- SAML 1 and 2 encoders for the attribute. -->
<resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
<resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
friendlyName="eduPersonEntitlement" />
<!-- The script, wrapped in a CDATA section so that special XML characters don't need to be removed -->
<Script><![CDATA[
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
// Create attribute to be returned from definition
eduPersonEntitlement = new BasicAttribute("eduPersonEntitlement");
if (eduPersonAffiliation.getValues().contains("staff") ||
eduPersonAffiliation.getValues().contains("student")) {
eduPersonEntitlement.getValues().add("urn:mace:dir:entitlement:common-lib-terms");
}
]]></Script>
</resolver:AttributeDefinition>
|
|