• BackLinks
• Search
• Print

Identity Provider Configuration:
      eduPersonTargetedID and Active Directory

It is usual to source eduPersonTargetedID from the variable matched against the principal, ie. the authenticated user's login name. However, for an organisation using Microsoft Active Directory the objectSid is the best source for eduPersonTargetedID, because it is unique over space and time, and so the possibility of reuse of eduPersonTargetedID values is avoided. However, the code required is different from that required for seeding from the principal, because the objectSid is a binary field and there is an issue involved in its conversion to a string which can result in the last few bytes of its value being dropped. This in turn can result in the same eduPersonTargetedID value being generated for more than one user at the organisation. The SIDAsBase64 code below is provided as a workaround for this problem.

The following property must be added to the <JNDIDirectoryDataConnector>:

 
<Property name="java.naming.ldap.attributes.binary" value="objectSid objectGUID"/>

The <JNDIDirectoryDataConnector> should then look like this:

 
<JNDIDirectoryDataConnector id="directory">
    <Search filter="sAMAccountName=%PRINCIPAL%">
        <Controls searchScope="SUBTREE_SCOPE" returningObjects="false" />
    </Search>
    <Property name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
    <Property name="java.naming.provider.url"
              value="ldap://ldap.uni.ac.uk:389/CN=Users,DC=uni,DC=ac,DC=uk" />
    <Property name="java.naming.security.principal" value="ldapuser@uni.ac.uk" />
    <Property name="java.naming.security.credentials" value="Password" />
    <Property name="java.naming.ldap.attributes.binary" value="objectSid objectGUID"/>
</JNDIDirectoryDataConNector>

The <PersistentIDAttributeDefinition> must then be replaced with the following, using your existing salt string in the <Salt> element, and replacing "uni.ac.uk" with your own scope:

 
<ScriptletAttributeDefinition id="SIDAsBase64">
    <DataConnectorDependency requires="directory"/>
    <Scriptlet><![CDATA[
        import org.bouncycastle.util.encoders.Base64;
        Attributes resolvedAttributes = dependencies.getConnectorResolution("directory");
        Attribute id =  resolvedAttributes.get("objectSid");
        String b64id = new String(Base64.encode(id.get(0)));

        resolverAttribute.addValue(b64id);
    ]]></Scriptlet>
</ScriptletAttributeDefinition>	

<PersistentIDAttributeDefinition
    id="urn:mace:dir:attribute-def:eduPersonTargetedID" scope="uni.ac.uk">
    <AttributeDependency requires="SIDAsBase64"/>
    <Salt>saltstring.......</Salt>
</PersistentIDAttributeDefinition>

For more information about this issue please see https://wiki.shibboleth.net/confluence/display/SHIB2/IdPADConfigIssues.

Helpdesk | Website Info
© The JISC Content Procurement Company Ltd - JISC Collections, Brettenham House,
5 Lancaster Place, London WC2E 7EN
Tel: 020 3006 6086