SAML EntityIDs and Assertion Consumer Endpoints (ACS) for the Proxy
...
Expand | ||
---|---|---|
| ||
In order to for AD FS to be operable with a Shibboleth SP(Service Provider) there are some changes that are required.
AD FS Metadata can be modified using https://github.com/rohe/pysfemma The below is an example of the output. You can use the below for testing by modifying. (In production change to meet your needs) but it might be easiest to use adfs2fed.py in the tools directory in pysfemma.
|
...
@Rulename="Get Email"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("urn:oid:0.9.2342.19200300.100.1.3"), query = ";mail;{0}", param = c.Value);
@Rulename="Convert Email xml"
c:[Type == "urn:oid:0.9.2342.19200300.100.1.3"]
=> issue(Type = c.Type, Value = c.Value, Issuer = c.Issuer, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@RuleName="Get FirstName"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("urn:oid:2.5.4.42"), query = ";givenName;{0}", param = c.Value);
@RuleName="Convert FirstName xml"
c:[Type == "urn:oid:2.5.4.42"]
=> issue(Type = c.Type, Value = c.Value, Issuer = c.Issuer, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@RuleName="Get LastName"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("urn:oid:2.5.4.4"), query = ";sn;{0}", param = c.Value);
@RuleName="Convert LastName xml"
c:[Type == "urn:oid:2.5.4.4"]
=> issue(Type = c.Type, Value = c.Value, Issuer = c.Issuer, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@Rulename="Get sAMAaccountName"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("urn:oid:1.2.840.113556.1.4.221"), query = ";uid;{0}", param = c.Value);
@Rulename="Convert sAMAccountName / uid xml"
c:[Type == "urn:oid:1.2.840.113556.1.4.221"]
=> issue(Type = "urn:oid:0.9.2342.19200300.100.1.1", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"); @Rulename="sAMAccountName to Username / uid" c:[Type == "urn:oid:1.2.840.113556.1.4.221"] @Rulename="Get displayName" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("urn:oid:1.2.840.113556.1.2.13"), query = ";displayName;{0}", param = c.Value); @Rulename="Convert displayName xml" c:[Type == "urn:oid:1.2.840.113556.1.2.13"] => issue(Type = "urn:oid:2.16.840.1.11373.3.1.241", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"); @Rulename="Name Identifier" c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] |
---|
Example of eduPersonPrinipalName(EPPN) mapped to upn. Any value you use should be a unique value that won't change. You need to modify the member@yourdomain.edu in the Value property to match your domain. This is a scoped attribute.
...