release the exact ldap attribute value

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

release the exact ldap attribute value

Souleye Ndiaye

Hi,

 

how can i tell the idP to return the exact LDAP value (e.g. uid) instead the user entry during authentication? I want to achieve that a  uid „case matching“ between SP and LDAP is guaranteed.


Version: 3.3.1

 

Best regards

Souleye


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: release the exact ldap attribute value

Ian Bobbitt-2

On 11/20/19 8:20 AM, Souleye Ndiaye wrote:
>
> Hi,
>
> how can i tell the idP to return the exact LDAP value (e.g. uid)
> instead the user entry during authentication? I want to achieve that a
>  uid „case matching“ between SP and LDAP is guaranteed.
>
You can access LDAP attributes with a Simple AttributeDefinition
<https://wiki.shibboleth.net/confluence/display/IDP30/SimpleAttributeDefinition>.
The example attribute-resolver-ldap.xml configuration file contains
pretty much exactly what you want.

     <AttributeDefinition id="uid" xsi:type="Simple" >
         <InputDataConnector ref="myLDAP" attributeNames="uid"/>
         <AttributeEncoder xsi:type="SAML1String"
name="urn:mace:dir:attribute-def:uid" encodeType="false" />
         <AttributeEncoder xsi:type="SAML2String"
name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid"
encodeType="false" />
     </AttributeDefinition>

The usual caveats apply. Case sensitivity for usernames is going to
cause problems for you at some point. Unscoped usernames are unsafe in a
federated environment.

>
> Version: 3.3.1
>
This is very old. 3.3.1 was released in March 2017. There are a lot of
bug fixes, feature improvements, and a handful of security advisories
that may or may not apply to your particular configuration.
<https://wiki.shibboleth.net/confluence/display/IDP30/ReleaseNotes>
>
> Best regards
>
> Souleye
>
>


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: release the exact ldap attribute value

Peter Schober
In reply to this post by Souleye Ndiaye
* Souleye Ndiaye <[hidden email]> [2019-11-20 14:21]:
> how can i tell the idP to return the exact LDAP value (e.g. uid) instead
> the user entry during authentication? I want to achieve that a  uid „case
> matching“ between SP and LDAP is guaranteed.

What Ian said: By looking up its value and releasing what's stored in
LDAP, i.e., by avoiding the "PrincipalName"-type attribute defintion
and using LDAP for normalization of the values (assuming you have
conistent values stored in LDAP, of course).

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: release the exact ldap attribute value

Souleye Ndiaye
Hi,

Thanks a lot! That was exactly what i was looking for!
Regards

Am Mi., 20. Nov. 2019 um 17:43 Uhr schrieb Peter Schober <[hidden email]>:
* Souleye Ndiaye <[hidden email]> [2019-11-20 14:21]:
> how can i tell the idP to return the exact LDAP value (e.g. uid) instead
> the user entry during authentication? I want to achieve that a  uid „case
> matching“ between SP and LDAP is guaranteed.

What Ian said: By looking up its value and releasing what's stored in
LDAP, i.e., by avoiding the "PrincipalName"-type attribute defintion
and using LDAP for normalization of the values (assuming you have
conistent values stored in LDAP, of course).

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]