Active Directory memberOf converted to groups attribute
170 views
Skip to first unread message
Justin Turner
Feb 9, 2012, 11:31:39 AM2/9/12
to simpleSAMLphp
Hello,
My simpleSAMLPHP install is working great. Our users can login, and
the appropriate AD data (username, email, first/last name) are passed
to the SP's based on each of their settings.
What I want to know is if we can leverage authproc and
core:AttributeAdd to add groups based on the memberOf attribute from
AD.
Basically what needs to happen is:
1. User logs in
2. User data retrieved from AD
3. AD data evaluated (turn CN=Group Name,OU=Context,DC=domain INTO
Group Name)
4. Modified list of groups added to Attributes as 'groups'
I couldn't find any examples of how to access the AD Attributes that
were retrieved, so I'm not sure where to start on the authproc
My simpleSAMLPHP install is working great. Our users can login, and
the appropriate AD data (username, email, first/last name) are passed
to the SP's based on each of their settings.
What I want to know is if we can leverage authproc and
core:AttributeAdd to add groups based on the memberOf attribute from
AD.
Basically what needs to happen is:
1. User logs in
2. User data retrieved from AD
3. AD data evaluated (turn CN=Group Name,OU=Context,DC=domain INTO
Group Name)
4. Modified list of groups added to Attributes as 'groups'
I couldn't find any examples of how to access the AD Attributes that
were retrieved, so I'm not sure where to start on the authproc
Justin Turner
Feb 9, 2012, 1:50:24 PM2/9/12
to simpleSAMLphp
Answered my own question, you can use core:PHP to do more advanced
manipulation of the content inside the $attributes array.
I added the below inside of authproc.idp inside my config.php so that
it would apply to all the SP's.
This replaces the memberOf string with content between CN= and the
first , (in other words the group name).
60 => array(
'class' => 'core:PHP',
'code' => '
if(!empty($attributes["memberOf"]))
{
$begin = "CN=";
$end = ",";
foreach($attributes["memberOf"] as $key => $value)
{
$pos_begin = strpos($value,$begin);
$pos_end = strpos($value,$end,($pos_begin+strlen($begin)));
if($pos_begin === false || $pos_end === false)
unset($attributes["memberOf"][$key]);
else
$attributes["memberOf"][$key] = substr($value,($pos_begin
+strlen($begin)),($pos_end-$pos_begin-strlen($begin)));
}
}
',
),
manipulation of the content inside the $attributes array.
I added the below inside of authproc.idp inside my config.php so that
it would apply to all the SP's.
This replaces the memberOf string with content between CN= and the
first , (in other words the group name).
60 => array(
'class' => 'core:PHP',
'code' => '
if(!empty($attributes["memberOf"]))
{
$begin = "CN=";
$end = ",";
foreach($attributes["memberOf"] as $key => $value)
{
$pos_begin = strpos($value,$begin);
$pos_end = strpos($value,$end,($pos_begin+strlen($begin)));
if($pos_begin === false || $pos_end === false)
unset($attributes["memberOf"][$key]);
else
$attributes["memberOf"][$key] = substr($value,($pos_begin
+strlen($begin)),($pos_end-$pos_begin-strlen($begin)));
}
}
',
),
Reply all
Reply to author
Forward
0 new messages