Map external LDAP source attribute to two attributes in Gluu LDAP

By: Thomas Maerz user 19 Jul 2016 at 8:20 p.m. CDT

3 Responses
Thomas Maerz gravatar
I am working on getting JIT provisioning working with WebEx SAML 2.0. I have it working with users which exist already in the WebEx Administration site, but there are more attribute requirements to enable auto account creation and updating. They want to see: ``` lastname firstname email Valid email format updatetimestamp The user information update time Support format long format: sample: System.currentTimeMillis() LDIF format: yyyyMMddHHmmss yyyy-MM-dd HH:mm:ss sample: 20090115213256 UTC format ("2009-10-09T06:00:32Z") ``` To further clarify, by default, it makes sense to populate the Gluu LDAP directory with the default values when using Cache Refresh becuase it shows up in the GUI and other RelyingParty may need lastname instead of sn or email instead of mail. Is there a way for me to map for example sn to fill sn in the Gluu LDAP server but also fill my custom attribute lastname with the same value? I looked at multivalue attributes but that appears to be for attributes which contain multiple values, not attributes with the same value but multiple attribute names. If not, how is this normally done? Is it similar to creating a custom nameID? Is this a possible use for oxAuth claim names?
U1404
closed

Answers

By Thomas Maerz user 19 Jul 2016 at 9:56 p.m. CDT

Copy
Thomas Maerz gravatar
I've found the answer to my own question, it was a little buried in this very nice [document](https://www.gluu.org/docs/cache-refresh/GluuCache-Refresh.pdf) on page 11. What I am experiencing now is accounts created while the mapping existed only for email and not mail do not have a mail attribute even though the dual mapping is now set up and the cache refresh is still updating. New accounts and accounts that were created before the mapping changed have both mail attribute and email, etc. Is this expected behavior?

By Mohib Zico staff 20 Jul 2016 at 5:47 a.m. CDT

Copy
Mohib Zico gravatar
Cisco is not following any SAML standard. They need attributes which has NameFormat something like 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified'. Standard attributes will not work for their auto account creation. You need to create all attributes manually ( from firstname to uid ) specifically for Cisco WebEx and Spark ( at least few of our customers are using these two ).

By Thomas Maerz user 25 Jul 2016 at 2:32 p.m. CDT

Copy
Thomas Maerz gravatar
Mohib, I think you are exactly right. I tried simply building custom attributes in oxTrust but I think they must manually be defined in ```attribute.resolver.xml``` velocity template for this because they are wanting very specific response. For anyone working on this in the future, the issue is explained a little here: [http://shibboleth.net/pipermail/users/2015-November/025187.html](http://shibboleth.net/pipermail/users/2015-November/025187.html) You can see an example of what response format WebEx is expecting here: [https://developer.cisco.com/fileMedia/download/72f0e675-579f-42e3-880f-4904ab7d8646](https://developer.cisco.com/fileMedia/download/72f0e675-579f-42e3-880f-4904ab7d8646)

Post an answer