Hi Colleen,
I'm doing something like what I think you're trying to achieve (setting eduPersonAffiliation based on what organisational unit a user belongs to in AD).
I do this using a ScriptletAttributeDefinition - it basically pulls out the dn field, which contains all the OU information, and uses this to determine the "user type" and assign appropriate eduPersonAffiliation values.
The logic is slightly complicated because we have an additional AD field (stirExternalAccessLevel) which we use to control access for groups of users or individuals who are able to authenticate but who don't have access rights to our external shibboleth protected library resources . . .
Once you have an eduPersonAffiliation value, it is easily turned into an eduPersonScopedAffiliation (see the bottom).
N.B. This is for IdP v1.3 - no idea if this would work with v2:
<ScriptletAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonAffiliation">
<DataConnectorDependency requires="directory"/>
<Scriptlet>
Attributes attributes = dependencies.getConnectorResolution("directory");
Attribute dn = attributes.get("distinguishedName");
String dnStr = dn.toString();
Attribute accLevel = attributes.get("stirExternalAccessLevel");
String accLevelStr = "";
if (accLevel != null) {
accLevelStr = accLevel.toString();
}
// For testing only
// String accLevelStr = "0";
// Staff
if (dnStr.indexOf("OU=Enabled,OU=Staff") >= 0) {
// if access not denied
if (!(accLevelStr.indexOf("0") >= 0)) {
resolverAttribute.addValue("staff");
resolverAttribute.addValue("member");
}
}
// Students
if (dnStr.indexOf("OU=Enabled,OU=Students") >= 0) {
// if access not denied
if (!(accLevelStr.indexOf("0") >= 0)) {
resolverAttribute.addValue("student");
resolverAttribute.addValue("member");
}
}
// Research Postgraduate
if (dnStr.indexOf("OU=Enabled,OU=ResearchPGs") >= 0) {
// if access not denied
if (!(accLevelStr.indexOf("0") >= 0)) {
resolverAttribute.addValue("staff");
resolverAttribute.addValue("student");
resolverAttribute.addValue("member");
}
}
// External User
if (dnStr.indexOf("OU=Enabled,OU=External") >= 0) {
// If access is allowed
if (accLevelStr.indexOf("1") >= 0) {
resolverAttribute.addValue("member");
} else {
resolverAttribute.addValue("affiliate");
}
}
</Scriptlet>
</ScriptletAttributeDefinition>
<SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" smartScope="stir.ac.uk">
<AttributeDependency requires="urn:mace:dir:attribute-def:eduPersonAffiliation"/>
</SimpleAttributeDefinition>
Hope this helps.
Regards,
Mike
Michael White
eLearning Developer
Centre for eLearning Development (CeLD)
3V3a, Cottrell
University of Stirling
Stirling SCOTLAND
FK9 4LA
Email: [log in to unmask]
Tel: +44 (0) 1786 466877
Fax: +44 (0) 1786 466880
http://www.is.stir.ac.uk/celd/
-----Original Message-----
From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Colleen
Sent: 30 March 2009 15:50
To: [log in to unmask]
Subject: Attribute script
Does anyone have an attribute-resolver script for setting the orgPersonScopedAffiliation attribute based on which container / organisational unit the user account is in?
--
Academic Excellence at the Heart of Scotland.
The University of Stirling is a charity registered in Scotland,
number SC 011159.
|