LDAP User Attribute Mapping

[Raju Singh]

Hi Members,

Can you someone help me in understanding what is "LDAP User Attribute Mapping"?

Regards

[Matthew Slowe]

On 11 Nov 2012, at 14:55, Raju Singh wrote:

> Hi Members,
>
> Can you someone help me in understanding what is "LDAP User Attribute Mapping"?

Not sure of the context here but I expect it's referring to where you take an attribute named X from an authentication source and send it off to an SP named Y.

This is done, in simplesamlphp, in an authproc filter (see http://simplesamlphp.org/docs/stable/core:authproc_attributemap)

Hope that helps,
--
Matthew Slowe <m.s...@kent.ac.uk> | Tel: +44 (0)1227 824265
Server Infrastructure Team, IS | Fax: +44 (0)1227 824078
University of Kent, Canterbury, Kent | Web: http://www.kent.ac.uk/

[John Rodkey]

I have a specific need to which I think an authproc filter might be the solution, but I'm confused as to how to go about it.

My SP wants a unique userID that would be an email address.  e.g. rod...@westmont.edu

My first solution was to send the LDAP attribute 'mail' from our IdP.

However, mail is a multivalue variable, so doesn't satisfy the unique prerequisite.  

I only want to send the equivalent of <cn>@mydomain.com where CN comes from the LDAP IdP.

Here's what I've got in metadata/saml20-sp-remote.php  now to send the mail attribute:

  'simplesaml.nameidattribute' => 'mail', 

  'simplesaml.attributes'      => true,

  'attributes' => array('givenName','sn','mail','groupMembership')

How do I set up authproc to munge cn into cnmail?  

Presumably I would then have a sp-remote containing

    'simplesaml.nameidattribute' => 'cnmail', 

  'simplesaml.attributes'      => true,

  'attributes' => array('givenName','sn','cnmail','groupMembership')

And something somewhere else that does something like

  cnmail = cn+'@mydomain.com' 

It's that last piece that I have no idea where or how to do.

Can the authproc experts come to my rescue?

John

--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.

[Jason Haar]

On Wednesday, 19 December 2012 12:42:02 UTC+13, John Rodkey wrote:

However, mail is a multivalue variable, so doesn't satisfy the unique prerequisite.  

I only want to send the equivalent of <cn>@mydomain.com where CN comes from the LDAP IdP.

 Are you sure about that? Typically mail addresses are unique. Are you confusing the fact that someone may have several email addresses, with the necessity for uniqueness? eg I have several email addresses, and any of them could be used to uniquely associate a SAML login with me (ie if you see any of those addresses, it has to be me). If you are referring to Active Directory LDAP, simply use the "mail" attribute as the unique identifying and ignore the proxyAddresses (mail aliases). Also, SSP will expose that attribute as a multivalue array - but only the first value is filled in - so it's not really multivalued...

[John Rodkey]

Thanks for the feedback.
Yes, I'm sure.  If the mail address comes back with multivalue then the account name is indeterminate (either chosen randomly from the list, always the first or always the last...) whereas our group account membership information is always tied to the primary email account, c...@mydomain.com .
We're not on AD, so don't have proxyAddresses.

John

--

You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.

To view this discussion on the web visit https://groups.google.com/d/msg/simplesamlphp/-/lg7jkx_grAMJ.

[Matthew Slowe]

On 18 Dec 2012, at 23:42, John Rodkey wrote:

> I have a specific need to which I think an authproc filter might be the solution, but I'm confused as to how to go about it.
>
> My SP wants a unique userID that would be an email address. e.g. rod...@westmont.edu
> My first solution was to send the LDAP attribute 'mail' from our IdP.
>
> However, mail is a multivalue variable, so doesn't satisfy the unique prerequisite.
> I only want to send the equivalent of <cn>@mydomain.com where CN comes from the LDAP IdP.
>
> Here's what I've got in metadata/saml20-sp-remote.php now to send the mail attribute:
> 'simplesaml.nameidattribute' => 'mail',
> 'simplesaml.attributes' => true,
> 'attributes' => array('givenName','sn','mail','groupMembership')
>
> How do I set up authproc to munge cn into cnmail?
>
> Presumably I would then have a sp-remote containing
> 'simplesaml.nameidattribute' => 'cnmail',
> 'simplesaml.attributes' => true,
> 'attributes' => array('givenName','sn','cnmail','groupMembership')
>
> And something somewhere else that does something like
> cnmail = cn+'@mydomain.com'
>
> It's that last piece that I have no idea where or how to do.
>
> Can the authproc experts come to my rescue?

I'm no expert but this might put you on the right track:

Either using "core:AttributeAlter": http://simplesamlphp.org/docs/stable/core:authproc_attributealter (which I've not done before)

or

Doing it in custom PHP: http://simplesamlphp.org/docs/stable/core:authproc_php

Hope that helps,
foo

[John Rodkey]

What do you think of these two alterations?  Will they perform the actions specified in the comments?

#  Replace the mail attribute with cn

10 => array(  

    'class' => 'core:AttributeAlter',

    'subject' => 'cn',

    'pattern' => '/$/',

    'target' => 'mail',

    '%replace',

),

#  add @mydomain.com to the newly created mail attribute

15 => array(

    'class' => 'core:AttributeAlter',

    'subject' => 'mail',

    'pattern' => '/$/',

    'replacement' => '@mydomain.com',

    '%replace',

),

And where to put these in order to only apply to our box SP is the next question.

[John Rodkey]

Any comments by the experts on this?    I hate to put it into a production system and perhaps interfere with access to the service if I didn't get it right.  Also, I still don't know exactly where to put the stanzas.

John

[Matthew Slowe]

You put it in an authproc element in your sp metadata (eg saml20-sp-remote). 

I've not tested what you've put but I would highly recommend you do – if only by setting up a test SP instance somewhere (same server would be ok in a different place). 

I have a feeling the pattern in the first replacement is wrong. That said, again without testing, I'd probably try doing it with AttributeMap followed by AttrubuteRealm rather than two Alters. 

Sent from my mobile device.

[John Rodkey]

Thank you for your response, Michael.  

I don't quite understand how AttributeRealm would be helpful.  Perhaps it's because I'm fundamentally fuzzy on authproc in general...  

BTW, since my SP is box.com, I don't have any control over making a test server, to the best of my knowledge:  I just have to put it in place, and if it fails, I put back in the original config and try something else.  Terribly inefficient, but what else to do?

John

[John Rodkey]

OK, read through the authproc docs again, and perhaps I'm starting to see where you might be going with this, Matthew  (sorry about calling you Michael earlier...).

I think what you're suggesting is something like this:

'authproc' => array(

#  Map cn to mail and mail to aliases

 10 => array(

        'class' => 'core:AttributeMap',

        'mail' => 'cn',

        'aliases' => 'mail'

    ),

# figure out the domain name (realm)

    20 => array(

        'class' => 'core:AttributeRealm',

    ),

  # append realm to mail ... not sure how to do this.     

    30 => array (

    'class' => 'core:AttributeAlter',

    'subject' => 'mail',  # is this the newly mapped mail or the old mail?

    'pattern' => '/$/',

    'replacement' => '@mydomain.com',  # should this be 'replacement' => '$realm' ?

    '%replace',

    ),

),

I still don't quite get how setting  'realm' to @mydomain.com (which is what I gather core:AttributeRealm does)  helps for appending it to the mail parameter.

John

[Matthew Slowe]

On 3 Jan 2013, at 20:06, John Rodkey <rod...@westmont.edu>
wrote:

> OK, read through the authproc docs again, and perhaps I'm starting to see where you might be going with this, Matthew (sorry about calling you Michael earlier...).

No worries!

> I still don't quite get how setting 'realm' to @mydomain.com (which is what I gather core:AttributeRealm does) helps for appending it to the mail parameter.

I appear to have led you up the garden path somewhat... I thought that AttributeRealm added a specified Realm to an existing attribute rather than extract it and set another variable.

Having re-read the documentation, I'd go with your two AttributeAlters or some core:PHP.

Sorry.