Skip to content

Instantly share code, notes, and snippets.

@odyssey4me

odyssey4me/attribute-map.xml

Last active September 23, 2021 16:44
Show Gist options
  • Save odyssey4me/3893d9182a12bf665f7a to your computer and use it in GitHub Desktop.
Save odyssey4me/3893d9182a12bf665f7a to your computer and use it in GitHub Desktop.
Download ZIP
Working Shibboleth-based Keystone SP for ADFS IdP
Raw
attribute-map.xml
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" id="upn"/>
<Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" id="givenname"/>
<Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" id="surname"/>
<Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" id="emailaddress"/>
<Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" id="name"/>
<Attribute name="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" id="primarysid"/>
<Attribute name="http://schemas.xmlsoap.org/claims/Group" id="Group"/>
</Attributes>
Raw
example-session-info
A Shibboleth session shows the following attributes available from the IdP:
Attributes
Group: Domain Users
emailaddress: [email protected]
givenname: Super
primarysid: S-1-5-21-2917001131-1385516553-613696311-1108
surname: Ego
upn: [email protected]
Raw
keystone-rules.yml
[
{
"local": [
{
"user": {
"id": "{0}",
"name": "{1}_{2}",
"email": "{3}"
}
}
],
"remote": [
{ "type": "primarysid" },
{ "type": "givenname" },
{ "type": "surname" },
{ "type": "upn" }
]
},
{
"local": [
{
"group": {
"name": "fedgroup",
"domain": { "name": "Default" }
}
}
],
"remote": [
{
"type": "Group",
"any_one_of": [ "Domain Users" ]
}
]
}
]
Raw
shibboleth.xml
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<!-- The OutOfProcess section contains properties affecting the shibd daemon. -->
<OutOfProcess logger="/etc/shibboleth/shibd.logger">
<Extensions>
<Library path="adfs.so" fatal="true"/>
</Extensions>
</OutOfProcess>
<!-- The InProcess section conrains settings affecting web server modules/filters. -->
<InProcess logger="/etc/shibboleth/native.logger">
<Extensions>
<Library path="adfs-lite.so" fatal="true"/>
</Extensions>
<ISAPI normalizeRequest="true">
<!--
Maps IIS Instance ID values to the host scheme/name/port/sslport. The name is
required so that the proper <Host> in the request map above is found without
having to cover every possible DNS/IP combination the user might enter.
The port and scheme can usually be omitted, so the HTTP request's port and
scheme will be used.
-->
<Site id="1" name="my_sp_dns_or_ip:5000"/>
</ISAPI>
</InProcess>
<!-- The entityID is the name by which your IdP will know your SP. -->
<ApplicationDefaults entityID="https://my_sp_dns_or_ip:5000/shibboleth">
<!-- You should use secure cookies if at all possible. See cookieProps in this Wiki article. -->
<!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions -->
<Sessions lifetime="3600"
timeout="1800"
relayState="ss:mem"
checkAddress="false"
handlerSSL="true"
cookieProps="https">
<!-- Triggers a login request directly to the IdP. -->
<!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO -->
<SSO ECP="true" entityID="http://my_idp_dns_or_ip/adfs/services/trust">
SAML2 SAML1 ADFS
</SSO>
<!-- SAML and local-only logout. -->
<!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceLogout -->
<Logout asynchronous="false">
SAML2 ADFS Local
</Logout>
<!--
Handlers allow you to interact with the SP and gather more information.
Attribute values received by the SP through SAML will be visible at:
https://my_sp_dns_or_ip:5000/Shibboleth.sso/Session
-->
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator"
Location="/Metadata"
signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<!--
Allows overriding of error template information/filenames. You can
also add attributes with values that can be plugged into the templates.
-->
<Errors supportContact="root@localhost"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<!--
Loads and trusts a list of metadata files which describes
the trusted IdP's and how to communicate with them.
-->
<MetadataProvider type="XML"
uri="https://my_idp_dns_or_ip/FederationMetadata/2007-06/FederationMetadata.xml"
backingFilePath="metadata-adfs-idp.xml"
reloadInterval="360" />
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML"
validate="true"
path="attribute-map.xml"/>
<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query"
subjectMatch="true"/>
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML"
validate="true"
path="attribute-policy.xml"/>
<!-- Your SP generated these credentials. They're used to talk to IdP's. -->
<CredentialResolver type="File"
key="sp-key.pem"
certificate="sp-cert.pem"/>
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML"
validate="true"
path="security-policy.xml"/>
<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML"
validate="true"
reloadChanges="false"
path="protocols.xml"/>
</SPConfig>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment