Differences

This shows you the differences between two versions of the page.

--- docpublic:systemes:shibboleth:docusign [2021/01/28 14:57]
procacci@tem-tsp.eu [Mapped Attributes]
+++ docpublic:systemes:shibboleth:docusign [2023/10/24 14:46] (current)
adminjp [shib IDP attribute-resolver]
@@ Line 38: / Line 38: @@
 {{:docpublic:systemes:shibboleth:shib-docusign-sp-idp-end-points-definition.png?300|}}
-We also set thet we use signe AuthN an use Post Method .
+We also set that we use signed AuthN and use Post Method .
 ==== DocuSign SP Metadata ====
@@ Line 60: / Line 60: @@
 === SP metadata certificate ===
-the ducosing SP certificate is included in these frashly downloaded metadata, we can extract it to a dedicated file that will be loaded in our metadata-provider for sign checking .
+the DocuSign SP certificate is included in these freshly downloaded metadata, we can extract it to a dedicated file that will be loaded in our metadata-provider for sign checking .
 get certificate from SP metadata element X509Certificate :
@@ Line 229: / Line 229: @@
 ===== shib IDP attribute-resolver =====
-In the IDP we use the **attribute-resolver-ldap.xml** file to define our customized for DocuSign for NameID mail attribute and permission (employeeType)  attribute .
+In the IDP we use the **attribute-resolver-ldap.xml** (or attribute-resolver.xml)  file to define our customized for DocuSign for NameID mail attribute and permission (employeeType)  attribute .
 <code>
 [root@idptest conf]# grep attribute-resolver-ldap.xml services.xml
         <value>%{idp.home}/conf/attribute-resolver-ldap.xml</value>
 </code>
+==== mapped attributes ====
+in order to map DocuSign domains ID to our mail domains we need to map values
+attribute-resolver.xml mapped employeType
+<code>
+<AttributeDefinition id="employeeType" xsi:type="Mapped">
+   <InputDataConnector ref="passthroughAttributes" attributeNames="mail" />
+    <DefaultValue passThru="false"/>
+<!-- Values Prod -->
+     <ValueMap>
+        <ReturnValue>1601</ReturnValue>
+        <SourceValue caseSensitive="false">(.+)@imte.fr</SourceValue>
+    </ValueMap>
+    <ValueMap>
+        <ReturnValue>1604</ReturnValue>
+        <SourceValue caseSensitive="false">(.+)@imte-atlantic.fr</SourceValue>
+    </ValueMap>
+...
+ <ValueMap>
+        <ReturnValue>16049193</ReturnValue>
+        <SourceValue caseSensitive="false">(.+)@mines-ste.fr</SourceValue>
+    </ValueMap>
+ </AttributeDefinition>
+</code>
+idem for staticDSAccountID
+<code>
+<AttributeDefinition id="staticDSAccountID" xsi:type="Mapped">
+   <InputDataConnector ref="passthroughAttributes" attributeNames="mail" />
+         <AttributeEncoder xsi:type="SAML2String"
+          name="urn:oid:1.3.6.1.4.1.7391.5" friendlyName="staticDSAccountID" />
+    <DefaultValue passThru="false"/>
+    <!-- Values DocuSign Prod -->
+    <!-- <ValueMap>
+        <ReturnValue>14219580-a3e2</ReturnValue>
+        <SourceValue caseSensitive="false">(.+)@imte.fr</SourceValue>
+    </ValueMap> -->
+    <ValueMap>
+        <ReturnValue>24035b51-b871-</ReturnValue>
+        <SourceValue caseSensitive="false">(.+)@imte.fr</SourceValue>
+    </ValueMap>
+    <ValueMap>
+        <ReturnValue>76919292-2f64</ReturnValue>
+        <SourceValue caseSensitive="false">(.+)@imte-atlantic.fr</SourceValue>
+    </ValueMap>
+...
+  <ValueMap>
+        <ReturnValue>557f440a-a124</ReturnValue>
+        <SourceValue caseSensitive="false">(.+)@mines-ste.fr</SourceValue>
+    </ValueMap>
+ </AttributeDefinition>
+</code>
 ==== Mail rewriting ====
@@ Line 261: / Line 320: @@
     </ValueMap>
  </AttributeDefinition>
+</code>
 when a user connect with it's email address of givenName.Surname@**domain2**.eu , it is finally transmited to DocuSign SP as givenName.Surname@**domain1**.eu .
+==== Permission map ====
+We also used a mapped attribute definition in oder to match Roles/Permission of DS-Sender vs DS-viewer , repectivelly  1122394 and 1122395
+<code>
+<AttributeDefinition id="employeeType" xsi:type="Mapped">
+   <InputDataConnector ref="myLDAP" attributeNames="employeeType" />
+    <DefaultValue passThru="false"/>
+    <ValueMap>
+        <ReturnValue>1122394</ReturnValue>
+        <SourceValue caseSensitive="false">Permanent</SourceValue>
+    </ValueMap>
+    <ValueMap>
+        <ReturnValue>1122395</ReturnValue>
+        <SourceValue partialMatch="true" caseSensitive="false">Doctorant</SourceValue>
+    </ValueMap>
+    <ValueMap>
+        <ReturnValue>1122395</ReturnValue>
+        <SourceValue partialMatch="true" caseSensitive="false">Vacataire</SourceValue>
+    </ValueMap>
+ </AttributeDefinition>
+</code>
+==== static AttributeDefinition for AccountID ====
+DocuSign support told us also to send a static value for the accoundID so that automatic profile affectation could be done
+we can get our API account ID from the E-Signature parameter screen , left menu => API-Keys
+{{:docpublic:systemes:shibboleth:shib-docusign-sp-accoundid.png?300|}}
+then we need our IDP to map and send that static value for everyone, so we creted a staticDataconnector and the associated decated static AttributeDefinition for thos DocuSign authZ feature with the creation of a custom staticDSAccountID attribute :
+references :
+  * https://wiki.shibboleth.net/confluence/display/IDP4/StaticDataConnector
+  * https://wiki.shibboleth.net/confluence/display/IDP4/SimpleAttributeDefinition
+in conf/attribute-resolver-ldap.xml
+<code>
+   <!-- disi JP for DocuSign -->
+<AttributeDefinition xsi:type="Simple" id="staticDSAccountID">
+        <InputDataConnector ref="staticAttributes" attributeNames="staticDSAccountID" />
+         <AttributeEncoder xsi:type="SAML2String"
+                name="urn:oid:1.3.6.1.4.1.7399.1.1.1.1" friendlyName="staticDSAccountID" />
+</AttributeDefinition>
+        <DataConnector id="staticAttributes" xsi:type="Static">
+                <Attribute id="staticDSAccountID">
+                        <Value>ai4dc9cfa7-dd39-aad1-884c-2f9b17574224</Value>
+                </Attribute>
+        </DataConnector>
+        </AttributeResolver>
+</code>
+==== Special case when unsing NAT ( checkAddress="false" ) ====
+clients in specific site which don't have many public IPs addresses use NAT , and it breaks the flow of using a proxied IDP
+In that case we must disable "checkAddress" in the IDP (as proxy)  configuration .
+Analagous to the SP, there's a checkAddress setting on the SAML2.SSO profile configuration bean.
+https://wiki.shibboleth.net/confluence/display/IDP4/SAML2SSOConfiguration#55804373d9264505e7b248218c3ea26c3fd35a11
+ from examples in the doc:
+  * https://wiki.shibboleth.net/confluence/display/IDP4/RelyingPartyConfiguration
+I understand that I can specify the checkAddress attribute only for those "2nd Hand/backends" IDPs of my idp-proxy by listing them specifically in relying-party.xml :
+<code>
+<util:list id="shibboleth.RelyingPartyOverrides">
+ <bean id="proxyBackendIdps" parent="RelyingPartyByName">
+                 <constructor-arg name="relyingPartyIds">
+                <list>
+                        <value>https://idp.school1.fr/idp/shibboleth</value>
+                        <value>https://idp.school2.fr/idp/shibboleth</value>
+                        <value>https://multipass.school3.fr/idp/shibboleth</value>
+                </list>
+                </constructor-arg>
+            <property name="profileConfigurations">
+                <list>
+                    <bean parent="SAML2.SSO" p:checkAddress="false" />
+                </list></property> </bean> </util:list>
+</code>

docpublic/systemes/shibboleth/docusign.1611845852.txt.gz · Last modified: 2021/01/28 14:57 by procacci@tem-tsp.eu

Show page Old revisions

[unknown link type]Back to top