Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Exposing Groups Through Shibboleth

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Exposing Groups Through Shibboleth


Chronological Thread 
  • From: Jim Fox <>
  • To: Mark Cairney <>
  • Cc:
  • Subject: Re: [grouper-users] Exposing Groups Through Shibboleth
  • Date: Tue, 22 Nov 2011 08:47:42 -0800 (PST)


We also use groups to compute entitlements, and we send group memberships directly as well. The resolver for group memberships has two encoders:

<resolver:AttributeEncoder xsi:type="SAML1String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:isMemberOf" />

<resolver:AttributeEncoder xsi:type="SAML2String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1"
friendlyName="isMemberOf" />

and the computation uses a Template to add our namespace preface
to each of the group names:

<Template>
<![CDATA[
urn:mace:washington.edu:groups:${memberOf}
]]>
</Template>

Jim

On Tue, 22 Nov 2011, Mark Cairney wrote:

Date: Tue, 22 Nov 2011 06:57:42 -0800
From: Mark Cairney
<>
To:

Subject: Re: [grouper-users] Exposing Groups Through Shibboleth

Hi,


I recently did something fairly similar to this in our TEST environment based
on option 1.

The process is largely described in the Grouper document listed but as I
wanted to use LDAP groups created by the Grouper provisioner to
create entitlements in Shibboleth the "additional" steps were:

In my attribute-resolver.xml file in /opt/shibboleth-idp:

1. Turn eduPersonEntitlement into a scripted attribute:

<resolver:AttributeDefinition id="eduPersonEntitlement" xsi:type="Script"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="eduPersonEntitlement">
<resolver:Dependency ref="AuthLDAP" />

2. Write a small script that adds an eduPersonEntitlement string when the
user is in a matching group. This is done with a short bit of JavaScript
which I gleaned off the SWITCH documentation IIRC.

<resolver:AttributeEncoder xsi:type="SAML1String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:eduPersonEntitlement" />

<resolver:AttributeEncoder xsi:type="SAML2String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
friendlyName="eduPersonEntitlement" />
<Script><![CDATA[

importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);

// Create attribute to be returned from definition
if (eduPersonEntitlement == null) eduPersonEntitlement = new
BasicAttribute("eduPersonEntitlement");

// If the user has group membership
if (typeof memberOf != "undefined" && memberOf != null ){
// Then go through each group membership and add the appropriate
affiliation
// The IdP will remove duplicate values so we don't need to worry
about that here
for ( i = 0; memberOf != null && i < memberOf.getValues().size();
i++ ){
value = memberOf.getValues().get(i);

if (value.contains("cn=test,ou=adhoc,ou=adhoc,ou=grouper")){

eduPersonEntitlement.getValues().add("urn:mace:ac.uk:sdss.ac.uk:entitlement:Ad-hocGrouperTest");
}

}
}

]]></Script>
</resolver:AttributeDefinition>

3. Add "memberOf" to the ReturnedAttributes list for the LDAP data connector:

<ReturnAttributes>uid eduPersonAffiliation eduPersonEntitlement mail givenName sn
cn memberOf</ReturnAttributes>

I'm using OpenLDAP with the slapo-memberOf overlay as my LDAP data source-
this puts the user's group memberships into the memberOf operational
attribute automagically as they are added/removed by Grouper.

Hope this is useful,

Mark


On 21 Nov 2011, at 21:13, Klug, Lawrence wrote:

Tom,

Thanks a lot!

Lawrence

From:


[mailto:]
On Behalf Of Tom Barton
Sent: Monday, November 21, 2011 12:08 PM
To:

Subject: Re: [grouper-users] Exposing Groups Through Shibboleth

To expand a little on David's answer,

1.
https://spaces.internet2.edu/display/Grouper/Exposing+Groups+Through+Shibboleth

suggests config on the shib IdP to pull group info out of LDAP.

Your question might also have been motivated by

2. https://spaces.internet2.edu/display/Grouper/LDAPPCNG

because Ldappcng uses the shib attribute resolver and so similar looking
config resides in ldappc-resolver.xml.

Just to air things out a bit further, I'll note that there's also

3.
https://spaces.internet2.edu/display/Grouper/Grouper+and+Shibboleth+Integration

which addresses the same needs first addressed by item 1, but using one or
both of two new DataConnectors available to the shib IdP that provide group
and membership info from grouper directly to the IdP.

Tom

On 11/21/2011 1:40 PM, David Langenberg wrote:
Looking @ the doc. All the examples with '<resolver:' type XML are in
attribute-resolver.xml. The rest are attribute-filter.xml.

Dave

--
David Langenberg
Identity Management
The University of Chicago

From: "Klug, Lawrence"
<>
Date: Mon, 21 Nov 2011 13:31:50 -0600
To:
""

<>
Subject: [grouper-users] Exposing Groups Through Shibboleth

Looking at this admin guide:

https://spaces.internet2.edu/display/Grouper/Exposing+Groups+Through+Shibboleth

Question: Is this example configured on the Grouper side or the Shibboleth
side? What config file is shown in the code examples?

Our use case: Configure Shibboleth and Grouper to manage groups in Plone.
(Plone is a Zope-based open source CMS product).

Thanks,

Lawrence

Lawrence Klug
UCLA Middleware Services
Office: 310 825-2061
Cell: 818 667-2386


/*********************************
Mark Cairney
ITI UNIX Section
Information Services
University of Edinburgh

Tel: 0131 650 6565
Email:


*********************************/


--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.





Archive powered by MHonArc 2.6.16.

Top of Page