[[DocuSign]]
Trace: IDP v4 as proxy SP gitlab omniauth 15.9.2 Idpv3x-c8
Show pageOld revisions
AdminRecent ChangesSitemap

* ancien site

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
docpublic:systemes:shibboleth:docusign [2021/01/29 13:54]
procacci@tem-tsp.eu [Permission map] 		docpublic:systemes:shibboleth:docusign [2023/10/24 14:46] (current)
adminjp [shib IDP attribute-resolver]
Line 229: Line 229:
 ===== shib IDP attribute-resolver ===== ===== shib IDP attribute-resolver =====
  
-In the IDP we use the **attribute-resolver-ldap.xml** file to define our customized for DocuSign for NameID mail attribute and permission (employeeType)  attribute . +In the IDP we use the **attribute-resolver-ldap.xml** (or attribute-resolver.xml)  file to define our customized for DocuSign for NameID mail attribute and permission (employeeType)  attribute . 
  
 <code> <code>
 [root@idptest conf]# grep attribute-resolver-ldap.xml services.xml [root@idptest conf]# grep attribute-resolver-ldap.xml services.xml
         <value>%{idp.home}/conf/attribute-resolver-ldap.xml</value>         <value>%{idp.home}/conf/attribute-resolver-ldap.xml</value>
-</code>        +</code>        
 + 
 +==== mapped attributes ==== 
 + 
 +in order to map DocuSign domains ID to our mail domains we need to map values  
 + 
 +attribute-resolver.xml mapped employeType 
 + 
 +<code> 
 +<AttributeDefinition id="employeeType" xsi:type="Mapped"> 
 + 
 +   <InputDataConnector ref="passthroughAttributes" attributeNames="mail" /> 
 +    <DefaultValue passThru="false"/> 
 +<!-- Values Prod --> 
 +     <ValueMap> 
 +        <ReturnValue>1601</ReturnValue> 
 +        <SourceValue caseSensitive="false">(.+)@imte.fr</SourceValue> 
 +    </ValueMap> 
 +    <ValueMap> 
 +        <ReturnValue>1604</ReturnValue> 
 +        <SourceValue caseSensitive="false">(.+)@imte-atlantic.fr</SourceValue> 
 +    </ValueMap> 
 +... 
 + <ValueMap> 
 +        <ReturnValue>16049193</ReturnValue> 
 +        <SourceValue caseSensitive="false">(.+)@mines-ste.fr</SourceValue> 
 +    </ValueMap> 
 + 
 + </AttributeDefinition> 
 + 
 +</code> 
 + 
 +idem for staticDSAccountID 
 + 
 +<code> 
 +<AttributeDefinition id="staticDSAccountID" xsi:type="Mapped"> 
 +   <InputDataConnector ref="passthroughAttributes" attributeNames="mail" /> 
 +         <AttributeEncoder xsi:type="SAML2String" 
 +          name="urn:oid:1.3.6.1.4.1.7391.5" friendlyName="staticDSAccountID" /> 
 +    <DefaultValue passThru="false"/> 
 +    <!-- Values DocuSign Prod --> 
 +    <!-- <ValueMap> 
 +        <ReturnValue>14219580-a3e2</ReturnValue> 
 +        <SourceValue caseSensitive="false">(.+)@imte.fr</SourceValue> 
 +    </ValueMap> --> 
 +    <ValueMap> 
 +        <ReturnValue>24035b51-b871-</ReturnValue> 
 +        <SourceValue caseSensitive="false">(.+)@imte.fr</SourceValue> 
 +    </ValueMap> 
 +    <ValueMap> 
 +        <ReturnValue>76919292-2f64</ReturnValue> 
 +        <SourceValue caseSensitive="false">(.+)@imte-atlantic.fr</SourceValue> 
 +    </ValueMap> 
 +... 
 +  <ValueMap> 
 +        <ReturnValue>557f440a-a124</ReturnValue> 
 +        <SourceValue caseSensitive="false">(.+)@mines-ste.fr</SourceValue> 
 +    </ValueMap> 
 + </AttributeDefinition> 
 +</code>
  
 ==== Mail rewriting ==== ==== Mail rewriting ====
Line 324: Line 383:
 </code> </code>
  
 +==== Special case when unsing NAT ( checkAddress="false" ) ====
 +
 +clients in specific site which don't have many public IPs addresses use NAT , and it breaks the flow of using a proxied IDP 
 +In that case we must disable "checkAddress" in the IDP (as proxy)  configuration . 
 +
 +Analagous to the SP, there's a checkAddress setting on the SAML2.SSO profile configuration bean.
 +
 +https://wiki.shibboleth.net/confluence/display/IDP4/SAML2SSOConfiguration#55804373d9264505e7b248218c3ea26c3fd35a11
 +
 +
 + from examples in the doc: 
 +  * https://wiki.shibboleth.net/confluence/display/IDP4/RelyingPartyConfiguration
 +I understand that I can specify the checkAddress attribute only for those "2nd Hand/backends" IDPs of my idp-proxy by listing them specifically in relying-party.xml :
 +<code>
 +<util:list id="shibboleth.RelyingPartyOverrides">
 + <bean id="proxyBackendIdps" parent="RelyingPartyByName">
 +                 <constructor-arg name="relyingPartyIds">
 +                <list>
 +                        <value>https://idp.school1.fr/idp/shibboleth</value>
 +                        <value>https://idp.school2.fr/idp/shibboleth</value>
 +                        <value>https://multipass.school3.fr/idp/shibboleth</value>
 +                </list>
 +                </constructor-arg>
 +            <property name="profileConfigurations">
 +                <list>
 +                    <bean parent="SAML2.SSO" p:checkAddress="false" />
 +                </list></property> </bean> </util:list>
 +</code>
docpublic/systemes/shibboleth/docusign.1611928471.txt.gz · Last modified: 2021/01/29 13:54 by procacci@tem-tsp.eu
Show pageOld revisions
[unknown link type]Back to top
CC Attribution-Noncommercial-Share Alike 4.0 International
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0