...
Code Block | ||
---|---|---|
| ||
[carsi@www ~]$ sudo vi /opt/shibboleth-idp/conf/attribute-resolver.xml <AttributeDefinition xsi:type="ScriptedAttribute" id="eduPersonScopedAffiliation"> <InputDataConnector ref="myLDAP" attributeNames="employeeType"/> <Script><![CDATA[ scopedValueType = Java.type("net.shibboleth.idp.attribute.ScopedStringAttributeValue"); var localPart = ""; if(typeof(employeeType)!="undefined"){ if(employeeType.getValues().get(0)=="staff") localPart = "staff"; # if条件中“staff”为本地用户管理系统中属性取值,可能是“staf”或其他 else if(employeeType.getValues().get(0)=="std") localPart = "student"; # if条件中“std”为本地用户管理系统中属性取值,可能是“stud”“student”等 else localPart = "member"; eduPersonScopedAffiliation.addValue(new scopedValueType(localPart, "%{idp.scope}")); }]]></Script> </AttributeDefinition> [carsi@www ~]$ sudo systemctl restart jetty |
...
Code Block | ||
---|---|---|
| ||
[carsi@www ~]$ sudo cat attribute-resolver.xml <?xml version="1.0" encoding="UTF-8"?> <AttributeResolver xmlns="urn:mace:shibboleth:2.0:resolver" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd"> <!-- ========================================== --> <!-- Attribute Definitions --> <!-- ========================================== --> <AttributeDefinition xsi:type="ScriptedAttribute" id="eduPersonScopedAffiliation"> <InputDataConnector ref="myLDAP" attributeNames="employeeType"/> <Script><![CDATA[ scopedValueType = Java.type("net.shibboleth.idp.attribute.ScopedStringAttributeValue"); var localPart = ""; if(typeof(employeeType)!="undefined"){ if(employeeType.getValues().get(0)=="staff") localPart = "staff"; else if(employeeType.getValues().get(0)=="std") localPart = "student"; else localPart = "member"; eduPersonScopedAffiliation.addValue(new scopedValueType(localPart, "%{idp.scope}")); }]]></Script> } </AttributeDefinition> <AttributeDefinition xsi:type="Scoped" id="eduPersonPrincipalName" scope="%{idp.scope}"> <InputAttributeDefinition ref="uid"/> </AttributeDefinition> <AttributeDefinition id="uid" xsi:type="PrincipalName" /> <AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"> <InputDataConnector ref="myStoredID" attributeNames="persistentID"/> <AttributeEncoder xsi:type="SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" encodeType="false"/> <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" encodeType="false"/> </AttributeDefinition> <AttributeDefinition id="samlPairwiseID" xsi:type="Scoped" scope="%{idp.scope}"> <InputDataConnector ref="myStoredID" attributeNames="persistentID"/> </AttributeDefinition> <AttributeDefinition id="eduPersonEntitlement" xsi:type="Simple"> <InputDataConnector ref="staticAttributes" attributeNames="eduPersonEntitlement" /> </AttributeDefinition> <DataConnector id="staticAttributes" xsi:type="Static"> <Attribute id="eduPersonEntitlement"> <Value>urn:mace:dir:entitlement:common-lib-terms</Value> </Attribute> </DataConnector> <DataConnector id="myStoredID" xsi:type="StoredId" generatedAttributeID="persistentID" salt="%{idp.persistentId.salt}" queryTimeout="0"> <InputAttributeDefinition ref="eduPersonPrincipalName"/> <BeanManagedConnection>MyDataSource</BeanManagedConnection> </DataConnector> <DataConnector id="myLDAP" xsi:type="LDAPDirectory" ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" baseDN="%{idp.attribute.resolver.LDAP.baseDN}" principal="%{idp.attribute.resolver.LDAP.bindDN}" principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}" responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"> <FilterTemplate> <![CDATA[ %{idp.attribute.resolver.LDAP.searchFilter} ]]> </FilterTemplate> <ConnectionPool minPoolSize="%{idp.pool.LDAP.minSize:3}" maxPoolSize="%{idp.pool.LDAP.maxSize:10}" blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}" validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}" validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}" expirationTime="%{idp.pool.LDAP.idleTime:PT10M}" failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" /> </DataConnector> </AttributeResolver> |
...