Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagebash
[carsi@www ~]$ sudo vi /opt/shibboleth-idp/conf/attribute-resolver.xml

    <AttributeDefinition xsi:type="ScriptedAttribute" id="eduPersonScopedAffiliation">
        <InputDataConnector ref="myLDAP" attributeNames="employeeType"/>
        <Script><![CDATA[
		scopedValueType = Java.type("net.shibboleth.idp.attribute.ScopedStringAttributeValue");
        var localPart = "";
        if(typeof(employeeType)!="undefined"){
            if(employeeType.getValues().get(0)=="staff") localPart = "staff"; # if条件中“staff”为本地用户管理系统中属性取值,可能是“staf”或其他
            else if(employeeType.getValues().get(0)=="std") localPart = "student"; # if条件中“std”为本地用户管理系统中属性取值,可能是“stud”“student”等
            else localPart = "member";
            eduPersonScopedAffiliation.addValue(new scopedValueType(localPart, "%{idp.scope}"));
            }]]></Script>
    </AttributeDefinition>

[carsi@www ~]$ sudo systemctl restart jetty

...

Code Block
languagexml
[carsi@www ~]$ sudo  cat attribute-resolver.xml
<?xml version="1.0" encoding="UTF-8"?>
<AttributeResolver
        xmlns="urn:mace:shibboleth:2.0:resolver"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">

    <!-- ========================================== -->
    <!--      Attribute Definitions                 -->
    <!-- ========================================== -->


    <AttributeDefinition xsi:type="ScriptedAttribute" id="eduPersonScopedAffiliation">
        <InputDataConnector ref="myLDAP" attributeNames="employeeType"/>
        <Script><![CDATA[
		scopedValueType = Java.type("net.shibboleth.idp.attribute.ScopedStringAttributeValue");
        var localPart = "";
        if(typeof(employeeType)!="undefined"){
			if(employeeType.getValues().get(0)=="staff") localPart = "staff";
	        else if(employeeType.getValues().get(0)=="std") localPart = "student";
    	    else localPart = "member";
        	eduPersonScopedAffiliation.addValue(new scopedValueType(localPart, "%{idp.scope}"));
            	}]]></Script>
		}
    </AttributeDefinition>

    <AttributeDefinition xsi:type="Scoped" id="eduPersonPrincipalName" scope="%{idp.scope}">
        <InputAttributeDefinition ref="uid"/>
    </AttributeDefinition>

    <AttributeDefinition id="uid" xsi:type="PrincipalName" />

    <AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
        <InputDataConnector ref="myStoredID" attributeNames="persistentID"/>
        <AttributeEncoder xsi:type="SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" encodeType="false"/>
        <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" encodeType="false"/>
    </AttributeDefinition>

    <AttributeDefinition id="samlPairwiseID" xsi:type="Scoped" scope="%{idp.scope}">
        <InputDataConnector ref="myStoredID" attributeNames="persistentID"/>
    </AttributeDefinition>

    <AttributeDefinition id="eduPersonEntitlement" xsi:type="Simple">
        <InputDataConnector ref="staticAttributes" attributeNames="eduPersonEntitlement" />
    </AttributeDefinition>

    <DataConnector id="staticAttributes" xsi:type="Static">
        <Attribute id="eduPersonEntitlement">
        <Value>urn:mace:dir:entitlement:common-lib-terms</Value>
        </Attribute>
    </DataConnector>

    <DataConnector id="myStoredID" xsi:type="StoredId" generatedAttributeID="persistentID" salt="%{idp.persistentId.salt}" queryTimeout="0">
        <InputAttributeDefinition ref="eduPersonPrincipalName"/>
            <BeanManagedConnection>MyDataSource</BeanManagedConnection>
    </DataConnector>

    <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
        baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
        principal="%{idp.attribute.resolver.LDAP.bindDN}"
        principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
        connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
        responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
        <FilterTemplate>
            <![CDATA[
                %{idp.attribute.resolver.LDAP.searchFilter}
            ]]>
        </FilterTemplate>
            <ConnectionPool
            minPoolSize="%{idp.pool.LDAP.minSize:3}"
            maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
            blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
            validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
            validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
            expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
            failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
    </DataConnector>

</AttributeResolver>

...