[user_saml shib] expose group info via IdP

- changes quota attribute name from misunderstood urn, to plain "quota" - provides "groups" attribute with the common names of those Signed-off-by: Arthur Schiwon <[email protected]>
nextcloud · Nov 10, 2022 · 94cc465 · 94cc465
1 parent 7c67b34
commit 94cc465
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 22 deletions.
diff --git a/user_saml_shibboleth-php8.0/shibboleth/conf/attribute-filter.xml b/user_saml_shibboleth-php8.0/shibboleth/conf/attribute-filter.xml
@@ -1,10 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!-- 
-    This file is an EXAMPLE policy file.  While the policy presented in this 
+<!--
+    This file is an EXAMPLE policy file.  While the policy presented in this
     example file is illustrative of some simple cases, it relies on the names of
     non-existent example services and the example attributes demonstrated in the
     default attribute-resolver.xml file.
-    
+
     Deployers should refer to the documentation for a complete list of components
     and their options.
 -->
@@ -21,10 +21,6 @@
     <afp:AttributeFilterPolicy id="example1">
         <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="http://localhost/index.php/apps/user_saml/saml/metadata" />
 
-        <afp:AttributeRule attributeID="eduPersonPrincipalName">
-            <afp:PermitValueRule xsi:type="basic:ANY" />
-        </afp:AttributeRule>
-
         <afp:AttributeRule attributeID="uid">
             <afp:PermitValueRule xsi:type="basic:ANY" />
         </afp:AttributeRule>
@@ -41,10 +37,13 @@
             <afp:PermitValueRule xsi:type="basic:ANY" />
         </afp:AttributeRule>
 
-        <afp:AttributeRule attributeID="eduPersonPrincipalName">
-            <afp:PermitValueRule xsi:type="basic:ANY" />
-        </afp:AttributeRule>
+		<afp:AttributeRule attributeID="quota">
+			<afp:PermitValueRule xsi:type="basic:ANY"/>
+		</afp:AttributeRule>
 
+		<afp:AttributeRule attributeID="groups">
+			<afp:PermitValueRule xsi:type="basic:ANY"/>
+		</afp:AttributeRule>
 
     </afp:AttributeFilterPolicy>
 

diff --git a/user_saml_shibboleth-php8.0/shibboleth/conf/attribute-resolver.xml b/user_saml_shibboleth-php8.0/shibboleth/conf/attribute-resolver.xml
@@ -1,12 +1,12 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!-- 
+<!--
     This file is an EXAMPLE configuration file containing lots of commented
     example attributes, encoders, and a couple of example data connectors.
-    
+
     Not all attribute definitions or data connectors are demonstrated, but
     a variety of LDAP attributes, some common to Shibboleth deployments and
     many not, are included.
-    
+
     Deployers should refer to the Shibboleth 2 documentation for a complete
     list of components  and their options.
 -->
@@ -141,8 +141,13 @@
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="quota" sourceAttributeID="quota">
         <resolver:Dependency ref="myLDAP" />
         <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:quota" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:quota" friendlyName="quota" encodeType="false" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="quota" friendlyName="quota" encodeType="false" />
     </resolver:AttributeDefinition>
+
+	<resolver:AttributeDefinition id="groups" xsi:type="ad:Simple" sourceAttributeID="cn">
+		<resolver:Dependency ref="groupMemberships" />
+		<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="groups" friendlyName="groups"/>
+	</resolver:AttributeDefinition>
 <!--
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="initials" sourceAttributeID="initials">
         <resolver:Dependency ref="myLDAP" />
@@ -158,12 +163,12 @@
         <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:departmentNumber" encodeType="false" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.2" friendlyName="departmentNumber" encodeType="false" />
     </resolver:AttributeDefinition>
-    
+
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="displayName" sourceAttributeID="displayName">
         <resolver:Dependency ref="myLDAP" />
         <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
-    </resolver:AttributeDefinition> 
+    </resolver:AttributeDefinition>
 
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="employeeNumber" sourceAttributeID="employeeNumber">
         <resolver:Dependency ref="myLDAP" />
@@ -239,7 +244,7 @@
         <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
     </resolver:AttributeDefinition>
-    
+
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonAssurance" sourceAttributeID="eduPersonAssurance">
         <resolver:Dependency ref="myLDAP" />
         <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonAssurance" encodeType="false" />
@@ -264,8 +269,8 @@
     <!--
     <resolver:DataConnector id="mySIS" xsi:type="dc:RelationalDatabase">
         <dc:ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver"
-                                         jdbcURL="jdbc:oracle:thin:@db.example.org:1521:SomeDB" 
-                                         jdbcUserName="myid" 
+                                         jdbcURL="jdbc:oracle:thin:@db.example.org:1521:SomeDB"
+                                         jdbcUserName="myid"
                                          jdbcPassword="mypassword" />
         <dc:QueryTemplate>
             <![CDATA[
@@ -280,7 +285,7 @@
 
     <resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
         ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
-        baseDN="%{idp.attribute.resolver.LDAP.baseDN}" 
+        baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
         principal="%{idp.attribute.resolver.LDAP.bindDN}"
         principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
         useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}">
@@ -296,4 +301,20 @@
     -->
     </resolver:DataConnector>
 
+	<resolver:DataConnector id="groupMemberships" xsi:type="dc:LDAPDirectory"
+		ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+		baseDN="%{idp.attribute.resolver.LDAP.groupBaseDN}"
+		principal="%{idp.attribute.resolver.LDAP.bindDN}"
+		principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
+		useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
+		maxResultSize="0"
+	>
+		<dc:FilterTemplate>
+			<![CDATA[
+				%{idp.attribute.resolver.LDAP.groupFilter}
+			]]>
+		</dc:FilterTemplate>
+		<dc:ReturnAttributes>cn</dc:ReturnAttributes>
+	</resolver:DataConnector>
+
 </resolver:AttributeResolver>
diff --git a/user_saml_shibboleth-php8.0/shibboleth/conf/ldap.properties b/user_saml_shibboleth-php8.0/shibboleth/conf/ldap.properties
@@ -20,7 +20,7 @@ idp.authn.LDAP.trustStore                       = %{idp.home}/credentials/ldap-s
 ## Return attributes during authentication
 ## NOTE: this is not used during attribute resolution; configure that directly in the
 ## attribute-resolver.xml configuration via a DataConnector's <dc:ReturnAttributes> element
-idp.authn.LDAP.returnAttributes                 = cn,businessCategory,mail
+idp.authn.LDAP.returnAttributes                 = cn,mail,quota,groups
 
 ## DN resolution properties ##
 
@@ -41,11 +41,13 @@ idp.authn.LDAP.dnFormat                         = uid=%s,ou=people,dc=idptestbed
 # LDAP attribute configuration, see attribute-resolver.xml
 idp.attribute.resolver.LDAP.ldapURL             = %{idp.authn.LDAP.ldapURL}
 idp.attribute.resolver.LDAP.baseDN              = %{idp.authn.LDAP.baseDN}
+idp.attribute.resolver.LDAP.groupBaseDN         = ou=Groups,dc=idptestbed
 idp.attribute.resolver.LDAP.bindDN              = %{idp.authn.LDAP.bindDN}
 idp.attribute.resolver.LDAP.bindDNCredential    = %{idp.authn.LDAP.bindDNCredential}
 idp.attribute.resolver.LDAP.useStartTLS         = %{idp.authn.LDAP.useStartTLS:true}
 idp.attribute.resolver.LDAP.trustCertificates   = %{idp.authn.LDAP.trustCertificates}
 idp.attribute.resolver.LDAP.searchFilter        = (uid=$requestContext.principalName)
+idp.attribute.resolver.LDAP.groupFilter         = (&(objectclass=groupOfNames)(member=uid=$requestContext.principalName,ou=People,*))
 
 # LDAP pool configuration, used for both authn and DN resolution
 #idp.pool.LDAP.minSize                          = 3
@@ -56,4 +58,4 @@ idp.attribute.resolver.LDAP.searchFilter        = (uid=$requestContext.principal
 #idp.pool.LDAP.prunePeriod                      = 300
 #idp.pool.LDAP.idleTime                         = 600
 #idp.pool.LDAP.blockWaitTime                    = 3000
-#idp.pool.LDAP.failFastInitialize               = false
+#idp.pool.LDAP.failFastInitialize               = false