Best Way to Add SAML Attributes

By: Jeffrey Krug user 29 Apr 2019 at 3:54 p.m. CDT

3 Responses
Jeffrey Krug gravatar
This is not a problem ticket exactly, but I want to make sure the way I do this as safe as possible. I have some custom SAML attributes sourced from a DB that is very easy to retrieve and encode with Shibboleth configuration (I know Shibboleth very well). I am not sure if there is a trivial way to integrate these attributes into GLUU directly (the customer has existing DB management stuff they are not interested in changing, so I can't have GLUU import the attributes, they need to be continuously sourced from the DB, SQL DB if relevant). My current plan is just to tweak the Shibboleth config within attribute-resolver.xml and attribute-filter.xml for these attributes, but I have noticed that some GLUU configuration actions will regenerate these files from templates. Are they being generated from templates located at **/opt/gluu/jetty/identity/conf/shibboleth3/idp**? Is it safe to edit those files?
CentOS 7.5
closed

Answers

By Michael Schwartz Account Admin 03 May 2019 at 11:48 p.m. CDT

Copy
Michael Schwartz gravatar
If you are using cache refresh, the best way would be to write an API to fetch this data, and call the API from the Cache Refresh Update script. You want to use an API because you don't want to make stateful JDBC connections from the Glui Server. If you use a custom Shib template, you will not have the attribute available to OpenID applications. plus calling a DB at authn time is bad for both performance and reliability.

By Aliaksandr Samuseu staff 06 May 2019 at 1:07 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Jeffrey. Michael has addressed most of it already, I'll just add in on this part >I have noticed that some GLUU configuration actions will regenerate these files from templates. >Are they being generated from templates located at /opt/gluu/jetty/identity/conf/shibboleth3/idp? Is it safe to edit those files? Yes, those are templates you need, and it's generally safe to edit them - assuming you understand how the Apache Velocity works and know its syntax. You are on your own while on this task, though, as such in-depth stuff isn't normally covered by Community Support. You indeed would make the whole thing way less complex by just importing those attributes into Gluu's LDAP with custom CR script.

By Jeffrey Krug user 12 May 2019 at 10:22 p.m. CDT

Copy
Jeffrey Krug gravatar
Thanks for the info!

Post an answer