IdP, Google Apps and UID

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

IdP, Google Apps and UID

Jacquet, Frederic

Hello

 

I have setup one of our test domain to use SAML for Google Apps identification.

My issue is that normally uid is not local part of mail domains on our side.

Google provide only local part of mail.

 

I have try to define in login.config this :

 

edu.vt.middleware.ldap.jaas.LdapLoginModule required

      host="ldap.imd.ch"

      base="ou=internal,ou=People,dc=imd,dc=ch"

      port=" XXXX"

      ssl="false"

      tls="false"

      subtreeSearch="true"

      serviceUser=XXXX

      serviceCredential= XXXX

      userField="uid";

 

edu.vt.middleware.ldap.jaas.LdapLoginModule required

      host="ldap.imd.ch"

      base="ou=external,ou=People,dc=imd,dc=ch"

      port="390"

      ssl="false"

      tls="false"

      subtreeSearch="true"

      serviceUser=" XXXX "

      serviceCredential=" XXXX "

      userField="mail mailalternateaddress";

 

 

but does not work … ( I am not surprised)

 

I there a way to do this ?

 

Thanks in advance

fred

 

 


Frederic Jacquet- Unix Administrator
Tel: +41 21 618 02 31

IMD
Ch. de Bellerive 23, P.O. Box 915
CH - 1001 Lausanne, Switzerland
www.imd.ch








 

Reply | Threaded
Open this post in threaded view
|

Re: IdP, Google Apps and UID

Chad La Joie
Fredric, the configuration you provide is for authentication to your
IdP.  That is unrelated to what you'd send to Google.  One immediate
problem I see with the authentication configuration is that you require
that provide username/password validate against both LDAP login modules.
  That's probably not what you want.

As to the information you send to Google, that's controlled by the
attribute resolver and filter engine.  The resolver provides you with a
large number of features that you can use to look up and transform data
before sending it out so, if you have the data Google needs, you
shouldn't have any troubles sending it to them.

Jacquet, Frederic wrote:

> Hello
>
>  
>
> I have setup one of our test domain to use SAML for Google Apps
> identification.
>
> My issue is that normally uid is not local part of mail domains on our
> side.
>
> Google provide only local part of mail.
>
>  
>
> I have try to define in login.config this :
>
>  
>
> edu.vt.middleware.ldap.jaas.LdapLoginModule required
>
>       host="ldap.imd.ch"
>
>       base="ou=internal,ou=People,dc=imd,dc=ch"
>
>       port=" XXXX"
>
>       ssl="false"
>
>       tls="false"
>
>       subtreeSearch="true"
>
>       serviceUser=XXXX
>
>       serviceCredential= XXXX
>
>       userField="uid";
>
>  
>
> edu.vt.middleware.ldap.jaas.LdapLoginModule required
>
>       host="ldap.imd.ch"
>
>       base="ou=external,ou=People,dc=imd,dc=ch"
>
>       port="390"
>
>       ssl="false"
>
>       tls="false"
>
>       subtreeSearch="true"
>
>       serviceUser=" XXXX "
>
>       serviceCredential=" XXXX "
>
>       userField="mail mailalternateaddress";
>
>  
>
>  
>
> but does not work ... ( I am not surprised)
>
>  
>
> I there a way to do this ?
>
>  
>
> Thanks in advance
>
> fred
>
>  
>
>  
>
> ________________________________
>
> Frederic Jacquet- Unix Administrator
> Tel: +41 21 618 02 31
>
> [hidden email] <mailto:[hidden email]>
>
>  
>
> IMD
> Ch. de Bellerive 23, P.O. Box 915
> CH - 1001 Lausanne, Switzerland
> www.imd.ch <http://www.imd.ch>  
>
>
>
>
>
>
>
>
>
>
>  
>
>

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch

Reply | Threaded
Open this post in threaded view
|

RE: IdP, Google Apps and UID

Jacquet, Frederic
Chad,
I just have follow the very good doc of Will Norris (https://shibboleth.usc.edu/docs/google-apps/)

You are right, my issue is to return as principal not my uid as most of people but the stripped part of my mail frederic.jacquet (@imd.ch)  and not jacquetf

I was thinking of IdP auth rules but again you are right, it is mapping of return attributes. Is there a way to return this stripped info ?

Regards
fred


-----Original Message-----
From: Chad La Joie [mailto:[hidden email]]
Sent: lundi, 22. juin 2009 13:55
To: [hidden email]
Subject: Re: [Shib-Users] IdP, Google Apps and UID

Fredric, the configuration you provide is for authentication to your
IdP.  That is unrelated to what you'd send to Google.  One immediate
problem I see with the authentication configuration is that you require
that provide username/password validate against both LDAP login modules.
  That's probably not what you want.

As to the information you send to Google, that's controlled by the
attribute resolver and filter engine.  The resolver provides you with a
large number of features that you can use to look up and transform data
before sending it out so, if you have the data Google needs, you
shouldn't have any troubles sending it to them.

Jacquet, Frederic wrote:

> Hello
>
>  
>
> I have setup one of our test domain to use SAML for Google Apps
> identification.
>
> My issue is that normally uid is not local part of mail domains on our
> side.
>
> Google provide only local part of mail.
>
>  
>
> I have try to define in login.config this :
>
>  
>
> edu.vt.middleware.ldap.jaas.LdapLoginModule required
>
>       host="ldap.imd.ch"
>
>       base="ou=internal,ou=People,dc=imd,dc=ch"
>
>       port=" XXXX"
>
>       ssl="false"
>
>       tls="false"
>
>       subtreeSearch="true"
>
>       serviceUser=XXXX
>
>       serviceCredential= XXXX
>
>       userField="uid";
>
>  
>
> edu.vt.middleware.ldap.jaas.LdapLoginModule required
>
>       host="ldap.imd.ch"
>
>       base="ou=external,ou=People,dc=imd,dc=ch"
>
>       port="390"
>
>       ssl="false"
>
>       tls="false"
>
>       subtreeSearch="true"
>
>       serviceUser=" XXXX "
>
>       serviceCredential=" XXXX "
>
>       userField="mail mailalternateaddress";
>
>  
>
>  
>
> but does not work ... ( I am not surprised)
>
>  
>
> I there a way to do this ?
>
>  
>
> Thanks in advance
>
> fred
>
>  
>
>  
>
> ________________________________
>
> Frederic Jacquet- Unix Administrator
> Tel: +41 21 618 02 31
>
> [hidden email] <mailto:[hidden email]>
>
>  
>
> IMD
> Ch. de Bellerive 23, P.O. Box 915
> CH - 1001 Lausanne, Switzerland
> www.imd.ch <http://www.imd.ch>  
>
>
>
>
>
>
>
>
>
>
>  
>
>

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch

Reply | Threaded
Open this post in threaded view
|

Re: IdP, Google Apps and UID

Chad La Joie
Look at the regexsplit attribute definition, this is the use case for
which it was designed.

Jacquet, Frederic wrote:
> I was thinking of IdP auth rules but again you are right, it is mapping of return attributes. Is there a way to return this stripped info ?

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch

Reply | Threaded
Open this post in threaded view
|

Re: IdP, Google Apps and UID

Peter Schober
In reply to this post by Jacquet, Frederic
* Jacquet, Frederic <[hidden email]> [2009-06-22 15:44]:
> You are right, my issue is to return as principal not my uid as most
> of people but the stripped part of my mail frederic.jacquet
> (@imd.ch)  and not jacquetf

Well, then follow the docs to resolve the email address and then feed
this attribute to another attribute definition of type RegexSplit
where you throw away the domain part of the address. Encode and
release the latter, transformed attribute.
-peter