Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Exposing Groups Through Shibboleth

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Exposing Groups Through Shibboleth


Chronological Thread 
  • From: Mark Cairney <>
  • To:
  • Subject: Re: [grouper-users] Exposing Groups Through Shibboleth
  • Date: Tue, 22 Nov 2011 14:57:42 +0000

Hi,


I recently did something fairly similar to this in our TEST environment based
on option 1.

The process is largely described in the Grouper document listed but as I
wanted to use LDAP groups created by the Grouper provisioner to
create entitlements in Shibboleth the "additional" steps were:

In my attribute-resolver.xml file in /opt/shibboleth-idp:

1. Turn eduPersonEntitlement into a scripted attribute:

<resolver:AttributeDefinition id="eduPersonEntitlement" xsi:type="Script"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="eduPersonEntitlement">
<resolver:Dependency ref="AuthLDAP" />

2. Write a small script that adds an eduPersonEntitlement string when the
user is in a matching group. This is done with a short bit of JavaScript
which I gleaned off the SWITCH documentation IIRC.

<resolver:AttributeEncoder xsi:type="SAML1String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:eduPersonEntitlement" />

<resolver:AttributeEncoder xsi:type="SAML2String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
friendlyName="eduPersonEntitlement" />
<Script><![CDATA[

importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);

// Create attribute to be returned from definition
if (eduPersonEntitlement == null) eduPersonEntitlement = new
BasicAttribute("eduPersonEntitlement");

// If the user has group membership
if (typeof memberOf != "undefined" && memberOf != null ){
// Then go through each group membership and add the appropriate
affiliation
// The IdP will remove duplicate values so we don't need to worry
about that here
for ( i = 0; memberOf != null && i < memberOf.getValues().size();
i++ ){
value = memberOf.getValues().get(i);

if (value.contains("cn=test,ou=adhoc,ou=adhoc,ou=grouper")){

eduPersonEntitlement.getValues().add("urn:mace:ac.uk:sdss.ac.uk:entitlement:Ad-hocGrouperTest");
}

}
}

]]></Script>
</resolver:AttributeDefinition>

3. Add "memberOf" to the ReturnedAttributes list for the LDAP data connector:

<ReturnAttributes>uid eduPersonAffiliation eduPersonEntitlement mail
givenName sn cn memberOf</ReturnAttributes>

I'm using OpenLDAP with the slapo-memberOf overlay as my LDAP data source-
this puts the user's group memberships into the memberOf operational
attribute automagically as they are added/removed by Grouper.

Hope this is useful,

Mark


On 21 Nov 2011, at 21:13, Klug, Lawrence wrote:

> Tom,
>
> Thanks a lot!
>
> Lawrence
>
> From:
>
>
> [mailto:]
> On Behalf Of Tom Barton
> Sent: Monday, November 21, 2011 12:08 PM
> To:
>
> Subject: Re: [grouper-users] Exposing Groups Through Shibboleth
>
> To expand a little on David's answer,
>
> 1.
> https://spaces.internet2.edu/display/Grouper/Exposing+Groups+Through+Shibboleth
>
> suggests config on the shib IdP to pull group info out of LDAP.
>
> Your question might also have been motivated by
>
> 2. https://spaces.internet2.edu/display/Grouper/LDAPPCNG
>
> because Ldappcng uses the shib attribute resolver and so similar looking
> config resides in ldappc-resolver.xml.
>
> Just to air things out a bit further, I'll note that there's also
>
> 3.
> https://spaces.internet2.edu/display/Grouper/Grouper+and+Shibboleth+Integration
>
> which addresses the same needs first addressed by item 1, but using one or
> both of two new DataConnectors available to the shib IdP that provide group
> and membership info from grouper directly to the IdP.
>
> Tom
>
> On 11/21/2011 1:40 PM, David Langenberg wrote:
> Looking @ the doc. All the examples with '<resolver:' type XML are in
> attribute-resolver.xml. The rest are attribute-filter.xml.
>
> Dave
>
> --
> David Langenberg
> Identity Management
> The University of Chicago
>
> From: "Klug, Lawrence"
> <>
> Date: Mon, 21 Nov 2011 13:31:50 -0600
> To:
> ""
>
> <>
> Subject: [grouper-users] Exposing Groups Through Shibboleth
>
> Looking at this admin guide:
>
> https://spaces.internet2.edu/display/Grouper/Exposing+Groups+Through+Shibboleth
>
> Question: Is this example configured on the Grouper side or the Shibboleth
> side? What config file is shown in the code examples?
>
> Our use case: Configure Shibboleth and Grouper to manage groups in
> Plone. (Plone is a Zope-based open source CMS product).
>
> Thanks,
>
> Lawrence
>
> Lawrence Klug
> UCLA Middleware Services
> Office: 310 825-2061
> Cell: 818 667-2386
>

/*********************************
Mark Cairney
ITI UNIX Section
Information Services
University of Edinburgh

Tel: 0131 650 6565
Email:


*********************************/


--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.




Archive powered by MHonArc 2.6.16.

Top of Page