conditionaly repopulate attributes based on sp

By: Rhett Prichard user 19 Aug 2020 at 10:40 p.m. CDT

1 Response
Rhett Prichard gravatar
Ok, so I have multiple SP vendors with this problem, but here is the clearest example I can come up with. Our setup: - We have two emails for our users. - Teachers and Staff use o365 for email and so get a email address of user@domain.edu. - Students use google apps suite for there email and get an email address of user.appsuite.domain.edu - Teachers user google apps suite for their docs to share with students and use the underlying email service for sharing those docs. There emails are forwarded to the o365 accounts. Our Issue: - Google requires the email address to be gives as `<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user@appsuite.domain.edu</saml:NameID>` - FreshService is out helpdesk service. They require users to be sepecifed as `<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user@domain.edu</saml:NameID>` Our Questions I am working on the suggestion given on the ticket below. ([Ticket](https://support.gluu.org/customization/8701/attribute-transforms-for-outgoing-saml-per-trusted-sp/)) So I have several questions about this. 1, the told me to use these instructions. ([Webex](https://gluu.org/docs/gluu-server/4.2/integration/saas/webex/)) but the files mentioned attribute-resolver.xml.vm do no exist, can i make an empty file and add the items to it, or do i need to find a template to start with? 2, What variable do I use to verify which SP is asking?
CentOS 7.0
closed

Answers

By Mohib Zico staff 22 Aug 2020 at 9:02 a.m. CDT

Copy
Mohib Zico gravatar
Ok, first issue: - in any SSO system, there shouldn't be 'two' email Addresses for any users; but you are having that. "Email_Address" and "UID" are two 'unique' attributes being considered by any Security system. Anyways, Just thinking randomly... If I were in your position, I would create two custom attributes ( one for Google, one for FreshService ), then map email addresses into those custom attribute, create two nameIDs with those two attributes. Release freshDesk based nameID to FreshDesk trust relationship, Release GoogleDoc based nameID to Google Trust relationship. Then check various user-cases, see how things go. There should be some elegant way to do that but to research more.. .need to invest more time and team effort ( i.e. using OIDC protocol for Google apps... or some custom script which would run at the time of login and decide who is logging ( student / teacher / staff / teacher + staff ) and perform whole authN / authZ accordingly etc.... . >> the told me to use these instructions. (Webex) but the files mentioned attribute-resolver.xml.vm do no exist, can i make an empty file and add the items to it, or do i need to find a template to start with? Custom nameIDs are [GUI](https://www.gluu.org/docs/gluu-server/4.2/admin-guide/saml/#nameid) based now, but you can also 'grab' those velocity templates. Yes, they are not in stated location now. You have to explode identity.war, get them from another war etc... Something like this: - Get identity.war - Extract it - Go to WEB-INF/lib/ location - You will get another jar named oxtrust-configuration-4.0.Final.jar - Extract this jar and you will get those VM files.

Post an answer