Creating some kind of attribute alias

By: Hal Hauk user 05 Mar 2020 at 9:38 p.m. CST

8 Responses
Hal Hauk gravatar
I'm working with a SAML SP that requires an attribute called PartnerUserId. They say it just needs to be an ID that is unique to the user (could even be the email address). I haven't been able to find a way to create an attribute that is linked to another value. I'm starting to think the only way to do it is to create a new attribute within ldap? I created an attribute and called it "mail" for its name and that was accepted but after adding it to the trust relationship it just shows two "email" values as exposed attributes. Currently I'm getting "OOPS - An unexpected error has occured at null - login.errorSessionInvalidMessage" when I attempt to login and this is the first thing I can find that is missing. Any thoughts on either behavior appreciated but before I can address one I think I need to try to address the first and create an attribute somehow? Thoughts and feedback greatly appreciated!
Gluu 4.0 CentOS 7.6
closed

Answers

By Mohit Mali staff 07 Mar 2020 at 1:08 a.m. CST

Copy
Mohit Mali gravatar
Hi Hal Hauk, Thank you for reaching out gluu support , I will assist you on this ticket , please let me know which document are you following for creating the custom attribute. Hope you are following this, https://gluu.org/docs/ce/4.0/admin-guide/attribute/#custom-attributes Also can you please tell me which backend are you using couchbase or opendj. Thanks and Regards Mohit Mali

By Hal Hauk user 10 Mar 2020 at 11:19 a.m. CDT

Copy
Hal Hauk gravatar
Thank you. I'm using opendj and was following the custom attributes page you reference. However that document describes the process of adding an attribute to ldap which would then have to be populated. My intention was not to create a whole new attribute to populate and double efforts but instead to reference an existing attribute under a different name. If this is not possible then I understand the limitation. The intent is to publish a unique attribute under the name "PartnerUserId" in the SAML response for the SP. They recommend just using the email address for this field or any unique value. Thanks for your guidance!

By Mohit Mali staff 11 Mar 2020 at 2:53 a.m. CDT

Copy
Mohit Mali gravatar
Hi Hal Hauk, Ok let me check with team and get back to you.

By Mohit Mali staff 11 Mar 2020 at 3:01 a.m. CDT

Copy
Mohit Mali gravatar
Hi Hal Hauk, You can achieved the different alias for existing attribute , please edit the file /opt/opendj/config/schema. for example for name attribute we can add like this ```attributeTypes: ( 2.5.4.3 NAME ( 'cn' 'commonName' ) SUP name X-ORIGIN 'RFC 4519' ) attributeTypes: ( 2.5.4.4 NAME ( 'sn' 'surname' ) SUP name X-ORIGIN 'RFC 4519' ) attributeTypes: ( 2.5.4.5 NAME 'serialNumber' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} X-ORIGIN 'RFC 4519' )``` then restart opendj

By Hal Hauk user 20 Mar 2020 at 4:47 p.m. CDT

Copy
Hal Hauk gravatar
I did my best from the posted section of the config but what I can read is that this information is literally the default config. Did we miss something? Or am I supposed to edit the config an add an attribute name after the existing NAME() data? For example, change: attributeTypes: ( 0.9.2342.19200300.100.1.3 NAME ( 'mail' 'rfc822Mailbox' ) EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} X-ORIGIN 'RFC 4524' ) To: attributeTypes: ( 0.9.2342.19200300.100.1.3 NAME ( 'mail' 'rfc822Mailbox' 'PartnerUserId' ) EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} X-ORIGIN 'RFC 4524' ) Am I following? Thanks for hanging in with me.

By Mohib Zico staff 24 Mar 2020 at 11:25 a.m. CDT

Copy
Mohib Zico gravatar
>> I'm working with a SAML SP that requires an attribute called PartnerUserId. They say it just needs to be an ID that is unique to the user (could even be the email address). I think you don't need to go into complex way for this. Just create a [custom attribte](https://www.gluu.org/docs/ce/4.0/admin-guide/attribute/#custom-attributes) and insert email address as it's value. You are done.

By Hal Hauk user 24 Mar 2020 at 4:37 p.m. CDT

Copy
Hal Hauk gravatar
This is what I tried before the openDJ route but the behavior I experienced was that after updating the trust relationship with this new attribute, going back in reported two "Email" attributes instead of one called Email and the other called PartnerUserId. Perhaps this is just a bug? I'd like to pursue the opendj option for testing but unfortunately there is more than what was described above. I'm certainly trying to make the most of the documentation right now. Thanks again.

By Mohib Zico staff 24 Mar 2020 at 4:43 p.m. CDT

Copy
Mohib Zico gravatar
We have configured hundreds of SPs so far and lot has/had custom attribute ( which might have email_address value ) in saml assertion. I never had to play with schema other than adding custom attribute.

Post an answer