By: Will Beacon user 10 Jan 2018 at 8:57 a.m. CST

8 Responses
Will Beacon gravatar
Hello all. I'm new to Gluu, SAML, and SSO but I've been experimenting with using Gluu as and IDP. I've managed to get Gluu installed. I've managed to get Shibboleth applied to a test website. Attempting to hit that site, fires the redirect to Gluu where I login, and the SAML assertion is passed back to my site. The attributes I've configured for release are being passed back. That's all fine. The problem I'm facing is that I would like to release an extra attribute with the SAML assertion that's passed back, the extra attribute being 'employeeNumber'. I've run through the following documentation... https://gluu.org/docs/ce/admin-guide/attribute/#add-the-attribute-to-oxtrust The attribute appears to have been added, or already exists and is not visible. If I try and add employeeNumber again, I get an 'already exists' warning/error. However, I can't see the attribute on the 'Attribute Inventory' screen. This suggests to me that although the attribute exists, it is not associated with the 'gluuPerson' or 'eduPerson' personObjectClassTypes that are with the server install out of the box. I therefore can't release the attribute on my Trust Relationship, and I can set/assign the attribute when creating an new user on the server. So questions are... How do I associated the employeeNumber attribute with the default 'gluuPerson' personObjectClassType so its available for release on a TR, and can be set when adding a new User on the server? Is altering the gluuPerson personObjectClassType (adding the extra attribute) the correct way to go, or is it preferable to create a custom personObjectClassType, assign the various attributes I need to the new custom personObjectClassType? How to you get a custom personObjectClassType (and its associated attributes) to appear as a tab on the new/update User screen? Any assistance would be appreciated - I'm sure I'm just missing something, particularly with the attribute creation!

By Mohib Zico Account Admin 11 Jan 2018 at 8:19 a.m. CST

Mohib Zico gravatar
Hi Will, 'EmployeeNumber' is already available. If you click on `Show All Attributes` button from Configuration > Attributes page; you will see that. [ Screenshot attached ]

By Will Beacon user 11 Jan 2018 at 8:40 a.m. CST

Will Beacon gravatar
Hey Mohib - thanks for your reply. That explains why I can't add that attribute again. I'm guessing it's there but not visible. Here's a screen grab of the attribute inventory screen on the server we've configured. As you can see, there is no 'gluuCustomPerson' origin attributes (including employeeNumber). Also, when I have a look at the JSON configuration screen, we have no 'gluuCustomPerson' personObjectClassType. What's your feeling here? Have we made in incorrect step with the Gluu installation? Would a re-install of Gluu set the server up with three personObjectClassTypes? gluuPerson, eduPerson and gluuCustomPerson? Many thanks. ![attribute inventory](https://i.imgur.com/UJEdV4O.png "attribute inventory") ![personObjectClassTypes](https://i.imgur.com/f1ndIOb.png "personObjectClassTypes")

By Mohib Zico Account Admin 11 Jan 2018 at 8:51 a.m. CST

Mohib Zico gravatar
Yes, you have to use 'Show All Attributes' button; please check my attached screenshot in previous comment. 'gluuCustomPerson' is only for those attributes which are custom attribute ( created by Gluu Server administrator ).

By Will Beacon user 11 Jan 2018 at 9:06 a.m. CST

Will Beacon gravatar
Thanks for that screenshot Mohib. In the screen shot I attached I did in fact have 'show all attributes' selected, apologies that was clear. Here is another screen shot highlighting this. As you can see, the employeeNumber attribute is not visible. In fact, no attributes related to the 'gluuCustomPerson' origin are visible. So the question is now, why can I not see the attributes associated with the 'gluuCustomPerson' personObjectClassType in my setup? Could this be rectified with a re-install of the Gluu server? If not, is there some documentation to run through how to setup a new personObjectClassType and associate attributes via the JSON configuration screen? Or do you need to do this via shell onto the server? Many thanks. ![show all attributes selected](https://i.imgur.com/HlFcvAC.png "show all attributes selected")

By Thomas Gasmyr Mougang staff 11 Jan 2018 at 3:30 p.m. CST

Thomas Gasmyr Mougang gravatar
Hi **Will**, You are right for your screenshot. The Version you are using is don't support **gluuCustomPerson** and other stuffs. You are using an older Gluu version(**3.0.2**) and as you may know we are currently at version (**3.1.1**) with version **3.1.2** coming soon. So you have two choices: 1. **Update Gluu** 2. **Take the customization(dive deep and changed ldap schema)** It is up to you now. Thanks!

By Thomas Gasmyr Mougang staff 12 Jan 2018 at 2:50 a.m. CST

Thomas Gasmyr Mougang gravatar
Hi Will, Here is a quick steps to release this attribute if you don't want to update. Actually that attribute already exist but its **gluuAttributeOrigin** is set to _inetOrgPerson_. To make it visible in attributes list, you have to changed that to _gluuCustomPerson_ and add that attribute to _gluuCustomPerson_ class. 1. **Change gluuAttributeOrigin value from inetOrgPerson to gluuCustomPerson.** Login into Gluu container, create a ldif file named _updateEmployeeNumber.ldif_ and paste the bellow code in that file. ``` dn: inum=@!8635.04CD.3A7D.97F1!0001!C278.7D00!0005!D0C9,ou=attributes,o=@!8635.04CD.3A7D.97F1!0001!C278.7D00,o=gluu changetype: modify replace: gluuAttributeOrigin gluuAttributeOrigin: gluuCustomPerson ``` Run this bellow command to apply your changes. ``` opt/opendj/bin/ldapmodify -p 1636 -Z -X -D "cn=directory manager,o=gluu" -w 'yourPassword' -f updateEmployeeNumber.ldiff ``` _NB: You may modify the rootDN to match your own._ You will now be able to see that attribute on attributes list. 2. **Add _employeeNumber_ to _gluuCustomPerson_ class.** Open this file **/opt/gluu/schema/openldap/custom.schema** and link the attribute as describe below. ``` objectclass ( 1.3.6.1.4.1.48710.1.4.101 NAME 'gluuCustomPerson' SUP ( top ) AUXILIARY MAY ( telephoneNumber $ mobile $ employeeNumber ) X-ORIGIN 'Gluu - Custom persom objectclass' ) ``` Note that employeeNumber is added. Apply changes: ``` #service solserver stop #/opt/symas/bin/slaptest -f /opt/symas/etc/openldap/slapd.conf #service solserver start ``` That it.

By Thomas Gasmyr Mougang staff 16 Jan 2018 at 12:42 a.m. CST

Thomas Gasmyr Mougang gravatar
Hi Will, Just to let you know that i'm about to closed this ticket for inactivity. You can reopen the ticket if needed.

By Will Beacon user 16 Jan 2018 at 3:51 a.m. CST

Will Beacon gravatar
That's fine - and thanks for the resolution. We managed to upgrade to 3.1.1 which resolved the problem for us.