Scripted Affiliation in Attribute Resolver

In some circumstances the Affiliation values required for eduPersonScopedAffilation and eduPersonAffilation. are not available within the organisation directory service, and it maybe more straight forward to configured using a scripted attribute to generate these based on membership of an OrganizationalUnit (OU) or Container (CN).

Examples of scripted attributes have been distributed previously, this version has been updated to work with Shibboleth 3.3.0 onwards with Java 1.8 with the Rhino engine. It is based on the Resolver Script Attribute Definition examples

The following are two AttributeDefinitions on each for eduPersonScopedAffilation and eduPersonAffilation.

    <AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}"
                         sourceAttributeID="AffiliationusingDN">
        <Dependency ref="AffiliationusingDN" />
        <Dependency ref="myLDAP" />
        <AttributeEncoder xsi:type="SAML1ScopedString"
                          name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
                          encodeType="false" />
        <AttributeEncoder xsi:type="SAML2ScopedString"
                          name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
                          friendlyName="eduPersonScopedAffiliation"
                          encodeType="false" />
    </AttributeDefinition>

    <AttributeDefinition xsi:type="Simple" id="eduPersonAffiliation"
                         sourceAttributeID="AffiliationusingDN">
        <Dependency ref="AffiliationusingDN" />
        <Dependency ref="myLDAP" />
        <AttributeEncoder xsi:type="SAML1String"
                          name="urn:mace:dir:attribute-def:eduPersonAffiliation"
                          encodeType="false" />
        <AttributeEncoder xsi:type="SAML2String"
                          name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
                          friendlyName="eduPersonAffiliation"
                          encodeType="false" />
    </AttributeDefinition>

The following is a ScriptedAttribute to retrieve the affiliations from the dn or distinguishedName in LDAP.

Note;

  • That you may need to update your ldap.properties to include distinguishedName in idp.attribute.resolver.LDAP.returnAttributes
  • You should update the highlighted sections as appropriate to the OrganizationalUnit (OU) or Container (CN) in your LDAP Directory.
    <AttributeDefinition xsi:type="ScriptedAttribute" id="AffiliationusingDN">
        <Dependency ref="myLDAP" />
        <Script><![CDATA[
                    load("nashorn:mozilla_compat.js");
                    importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
                    var dn = distinguishedName.getValues().get(0);

                    if (dn.contains("OU=Students")) {
                        AffiliationusingDN.getValues().add("student");
                        AffiliationusingDN.getValues().add("member");
                    } else if (dn.contains("OU=Staff")) {
                        AffiliationusingDN.getValues().add("staff");
                        AffiliationusingDN.getValues().add("member");
                    } else if (dn.contains("OU=IT")) {
                        AffiliationusingDN.getValues().add("staff");
                        AffiliationusingDN.getValues().add("member");
                    } else if (dn.contains("OU=Admin")) {
                        AffiliationusingDN.getValues().add("staff");
                        AffiliationusingDN.getValues().add("member");
                    }
                    else {
                        AffiliationusingDN.getValues().add("affiliate");
                    };
                ]]></Script>
    </AttributeDefinition>