[prev in list] [next in list] [prev in thread] [next in thread]
List: shibboleth-users
Subject: Re: Substituting another attribute for mail
From: Andrew Morgan <morgan () orst ! edu>
Date: 2016-08-30 17:33:33
Message-ID: alpine.DEB.2.02.1608301025070.29148 () shell ! onid ! oregonstate ! edu
[Download RAW message or body]
On Tue, 30 Aug 2016, Edenfield, Dusty wrote:
> We are trying to implement Dropbox SSO and have hit a snag. Dropbox is
> registered with InCommon and accepts the essential attribute bundle as
> explained in their documentation<https://www.dropbox.com/help/9125>.
> Dropbox states that it uses the email part of the bundle to identify
> users. For us, the email attribute is an email alias that may change
> depending on user preference or if they sign in under a different
> account that they own. We would prefer that Dropbox uses EPPN as the
> identifier since it is consistent across accounts for a given user.
>
> Is there a way to substitute EPPN for the mail attribute that Dropbox
> sees? The result would be that EPPN and mail match, and Dropbox doesn't
> know about the email alias issue.
Sure, you can create a new attribute in attribute-resolver.xml:
<resolver:AttributeDefinition xsi:type="ad:Simple" id="dropbox_email" \
sourceAttributeID="eduPersonPrincipalName"> <resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" \
name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" /> \
</resolver:AttributeDefinition>
Then release it only to Dropbox and deny the release of your "normal"
email attribute in attribute-filter.xml:
<AttributeFilterPolicy id="dropbox">
<PolicyRequirementRule xsi:type="Requester" value="<dropbox-entityid>" />
<AttributeRule attributeID="dropbox_email">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="email">
<DenyValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
Andy
--
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic