Share via Share via... Twitter LinkedIn Facebook Pinterest Telegram WhatsApp Yammer RedditPosledné úpravySend via e-MailPrintPermalink × <?xml version="1.0" encoding="UTF-8"?> <!-- This file is an EXAMPLE configuration file for use within a SAML WebSSO federation containing various example attributes, encoders, and a couple of example data connectors. Deployers should refer to the Identity Provider 4 documentation https://wiki.shibboleth.net/confluence/display/IDP4/AttributeResolverConfiguration for a complete list of components and their options. --> <AttributeResolver xmlns="urn:mace:shibboleth:2.0:resolver" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd"> <!-- ========================================== --> <!-- Attribute Definitions --> <!-- ========================================== --> <!-- Schema: Core schema attributes--> <!-- givenName --> <AttributeDefinition xsi:type="Simple" id="givenName"> <InputDataConnector ref="myLDAP" attributeNames="givenName"/> </AttributeDefinition> <!-- sn --> <AttributeDefinition xsi:type="Simple" id="sn"> <InputDataConnector ref="myLDAP" attributeNames="sn"/> </AttributeDefinition> <!-- displayName, alternative 1: direct myLDAP lookup --> <!-- use this if the displayName is stored in myLDAP --> <AttributeDefinition xsi:type="Simple" id="displayName"> <InputDataConnector ref="myLDAP" attributeNames="displayName"/> </AttributeDefinition> <!-- displayName, alternative 2: create from givenName and sn --> <!-- <AttributeDefinition xsi:type="Template" id="displayName"> <InputAttributeDefinition ref="givenName"/> <InputAttributeDefinition ref="sn"/> <Template>${givenName} ${sn}</Template> </AttributeDefinition> --> <!-- mail --> <AttributeDefinition xsi:type="Simple" id="mail"> <InputDataConnector ref="myLDAP" attributeNames="mail"/> </AttributeDefinition> <!-- eduPersonPrincipalName, alternative 1: direct myLDAP lookup --> <!-- use this if the eduPersonPrincipalName is stored in myLDAP --> <!-- <AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalName"> <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalName"/> </AttributeDefinition> --> <!-- eduPersonPrincipalName, alternative 2: create from login name --> <!-- Change the attributeNames as appropriate to your IDM & LDAP --> <AttributeDefinition xsi:type="Scoped" id="eduPersonPrincipalName" scope="%{idp.scope}"> <InputDataConnector ref="myLDAP" attributeNames="uid"/> </AttributeDefinition> <!-- samlPairwiseID, alternative 1: stored value --> <!-- use this if the samlPairwiseID input is stored via DataConnector myStoredId --> <!-- <AttributeDefinition xsi:type="Scoped" id="samlPairwiseID" scope="%{idp.scope}"> <InputDataConnector ref="myStoredId" attributeNames="storedId"/> </AttributeDefinition> --> <!-- samlPairwiseID, alternative 2: computed value --> <!-- use this if the samlPairwiseID is computed via DataConnector computed --> <AttributeDefinition xsi:type="Scoped" id="samlPairwiseID" scope="%{idp.scope}"> <InputDataConnector ref="computed" attributeNames="ComputedID" /> </AttributeDefinition> <!-- samlSubjectID --> <AttributeDefinition xsi:type="Scoped" id="samlSubjectID" scope="%{idp.scope}"> <InputAttributeDefinition ref="subjectIdHash"/> </AttributeDefinition> <!-- subjectIdHash --> <AttributeDefinition xsi:type="ScriptedAttribute" id="subjectIdHash" dependencyOnly="true"> <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}" /> <Script><![CDATA[ var digestUtils = Java.type("org.apache.commons.codec.digest.DigestUtils"); var saltedHash = digestUtils.sha256Hex(%{idp.persistentId.sourceAttribute}.getValues().get(0) + "%{idp.persistentId.salt}"); subjectIdHash.addValue(saltedHash); ]]></Script> </AttributeDefinition> <!-- eduPersonTargetedID, alternative 1: stored value --> <!-- <AttributeDefinition xsi:type="SAML2NameID" id="eduPersonTargetedID" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"> <InputDataConnector ref="myStoredId" attributeNames="storedId" /> <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID"/> </AttributeDefinition> --> <!-- eduPersonTargetedID, alternative 2: computed value --> <AttributeDefinition xsi:type="SAML2NameID" id="eduPersonTargetedID" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"> <InputDataConnector ref="computed" attributeNames="ComputedID" /> <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID"/> </AttributeDefinition> <!-- schacPersonalUniqueCode --> <!-- example source attribute imatrikulacnecislo has to comply ESI requirements --> <!-- https://www.safeid.sk/attributes:services:erasmus --> <!-- <AttributeDefinition xsi:type="Template" id="schacPersonalUniqueCode"> <InputDataConnector ref="myLDAP" attributeNames="imatrikulacnecislo"/> <DisplayName xml:lang="sk">Európsky identifikátor študenta (ESI)</DisplayName> <DisplayName xml:lang="en">European Student Identifier (ESI)</DisplayName> <Template>urn:schac:personalUniqueCode:int:esi:%{idp.scope}:${imatrikulacnecislo}</Template> <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.14" friendlyName="schacPersonalUniqueCode" encodeType="false"/> </AttributeDefinition> --> <!-- eduPersonAffiliation, alternative 1: direct myLDAP lookup --> <!-- use this if the eduPersonAffiliation is stored in myLDAP --> <AttributeDefinition xsi:type="Simple" id="eduPersonAffiliation"> <InputDataConnector ref="myLDAP" attributeNames="eduPersonAffiliation"/> </AttributeDefinition> <!-- eduPersonScopedAffiliation --> <AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}"> <InputAttributeDefinition ref="eduPersonAffiliation"/> </AttributeDefinition> <!-- eduPersonEntitlement --> <!-- Assign the common-lib-terms entitlement to all members and library-walk-in users --> <!-- Assert that all your subjects with an affiliation of member have had their identity sufficiently verified that they can all request personal certificates via TCS --> <!-- You'll need to adapt that second part as needed, depending on what parts of your community you intend to offer the TCS personal service to. --> <AttributeDefinition id="eduPersonEntitlement" xsi:type="Mapped"> <InputAttributeDefinition ref="eduPersonAffiliation" /> <ValueMap> <ReturnValue>urn:mace:dir:entitlement:common-lib-terms</ReturnValue> <SourceValue>member</SourceValue> <SourceValue>library-walk-in</SourceValue> </ValueMap> <ValueMap> <ReturnValue>urn:mace:terena.org:tcs:personal-user</ReturnValue> <SourceValue>member</SourceValue> </ValueMap> </AttributeDefinition> <!-- schacHomeOrganization --> <AttributeDefinition xsi:type="Simple" id="schacHomeOrganization"> <InputDataConnector ref="staticAttributes" attributeNames="schacHomeOrganization"/> <DisplayName xml:lang="sk">Doména organizácie</DisplayName> <DisplayName xml:lang="en">Home organization domain</DisplayName> <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9"/> </AttributeDefinition> <!-- schacHomeOrganizationType --> <AttributeDefinition xsi:type="Simple" id="schacHomeOrganizationType"> <InputDataConnector ref="staticAttributes" attributeNames="schacHomeOrganizationType"/> <DisplayName xml:lang="sk">Typ organizácie</DisplayName> <DisplayName xml:lang="en">Home organization type</DisplayName> <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.10"/> </AttributeDefinition> <!-- ========================================== --> <!-- Data Connectors --> <!-- ========================================== --> <DataConnector id="staticAttributes" xsi:type="Static"> <Attribute id="o"> <Value>Meno univerzity</Value> </Attribute> <Attribute id="schacHomeOrganization"> <Value>%{idp.scope}</Value> </Attribute> <Attribute id="schacHomeOrganizationType"> <Value>urn:schac:homeOrganizationType:eu:higherEducationInstitution</Value> <!-- This value is for EU higher education institution, other allowed values are: - urn:schac:homeOrganizationType:eu:educationInstitution - urn:schac:homeOrganizationType:int:NREN - urn:schac:homeOrganizationType:int:universityHospital - urn:schac:homeOrganizationType:int:NRENAffiliate - urn:schac:homeOrganizationType:int:other --> </Attribute> </DataConnector> <!-- Example LDAP Connector (DataConnector myLDAP depends on ldap.properties). --> <!-- https://wiki.shibboleth.net/confluence/display/IDP4/LDAPConnector --> <DataConnector id="myLDAP" xsi:type="LDAPDirectory" ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" baseDN="%{idp.attribute.resolver.LDAP.baseDN}" principal="%{idp.attribute.resolver.LDAP.bindDN}" principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}" connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}" trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}" responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"> <FilterTemplate> <![CDATA[ %{idp.attribute.resolver.LDAP.searchFilter} ]]> </FilterTemplate> <ConnectionPool minPoolSize="%{idp.pool.LDAP.minSize:3}" maxPoolSize="%{idp.pool.LDAP.maxSize:10}" blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}" validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}" validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}" validateDN="%{idp.pool.LDAP.validateDN:}" validateFilter="%{idp.pool.LDAP.validateFilter:(objectClass=*)}" expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"/> </DataConnector> <!-- DataConnector for stored pairwise-id (depends on saml-nameid.properties). --> <!-- https://wiki.shibboleth.net/confluence/display/IDP4/PersistentNameIDGenerationConfiguration --> <!-- <DataConnector id="myStoredId" xsi:type="StoredId" generatedAttributeID="storedId" salt="%{idp.persistentId.salt}" algorithm="%{idp.persistentId.algorithm:SHA}" encoding="%{idp.persistentId.encoding:BASE32}" queryTimeout="0"> <InputAttributeDefinition ref="%{idp.persistentId.sourceAttribute}"/> <BeanManagedConnection>shibboleth.MySQLDataSource</BeanManagedConnection> </DataConnector> --> <!-- DataConector for computed pairwise-id (depends on saml-nameid.properties). --> <!-- https://wiki.shibboleth.net/confluence/display/IDP4/PersistentNameIDGenerationConfiguration --> <DataConnector id="computed" xsi:type="ComputedId" generatedAttributeID="ComputedID" salt="%{idp.persistentId.salt}" algorithm="%{idp.persistentId.algorithm:SHA}" encoding="%{idp.persistentId.encoding:BASE32}"> <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}" /> </DataConnector> </AttributeResolver> install/idp/idp/attribute-reslover Posledná úprava: 20. 07. 2021 12:04 Prihlásiť sa