[[DocuSign]]
Trace: Idpv3x-c8 IDP v4 as proxy
Show pageOld revisions
AdminRecent ChangesSitemap

* ancien site

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
docpublic:systemes:shibboleth:docusign [2021/06/09 15:12]
adminjp [Special case when unsing NAT] 		docpublic:systemes:shibboleth:docusign [2023/10/24 14:46] (current)
adminjp [shib IDP attribute-resolver]
Line 229: Line 229:
 ===== shib IDP attribute-resolver ===== ===== shib IDP attribute-resolver =====
  
-In the IDP we use the **attribute-resolver-ldap.xml** file to define our customized for DocuSign for NameID mail attribute and permission (employeeType)  attribute . +In the IDP we use the **attribute-resolver-ldap.xml** (or attribute-resolver.xml)  file to define our customized for DocuSign for NameID mail attribute and permission (employeeType)  attribute . 
  
 <code> <code>
 [root@idptest conf]# grep attribute-resolver-ldap.xml services.xml [root@idptest conf]# grep attribute-resolver-ldap.xml services.xml
         <value>%{idp.home}/conf/attribute-resolver-ldap.xml</value>         <value>%{idp.home}/conf/attribute-resolver-ldap.xml</value>
-</code>        +</code>        
 + 
 +==== mapped attributes ==== 
 + 
 +in order to map DocuSign domains ID to our mail domains we need to map values  
 + 
 +attribute-resolver.xml mapped employeType 
 + 
 +<code> 
 +<AttributeDefinition id="employeeType" xsi:type="Mapped"> 
 + 
 +   <InputDataConnector ref="passthroughAttributes" attributeNames="mail" /> 
 +    <DefaultValue passThru="false"/> 
 +<!-- Values Prod --> 
 +     <ValueMap> 
 +        <ReturnValue>1601</ReturnValue> 
 +        <SourceValue caseSensitive="false">(.+)@imte.fr</SourceValue> 
 +    </ValueMap> 
 +    <ValueMap> 
 +        <ReturnValue>1604</ReturnValue> 
 +        <SourceValue caseSensitive="false">(.+)@imte-atlantic.fr</SourceValue> 
 +    </ValueMap> 
 +... 
 + <ValueMap> 
 +        <ReturnValue>16049193</ReturnValue> 
 +        <SourceValue caseSensitive="false">(.+)@mines-ste.fr</SourceValue> 
 +    </ValueMap> 
 + 
 + </AttributeDefinition> 
 + 
 +</code> 
 + 
 +idem for staticDSAccountID 
 + 
 +<code> 
 +<AttributeDefinition id="staticDSAccountID" xsi:type="Mapped"> 
 +   <InputDataConnector ref="passthroughAttributes" attributeNames="mail" /> 
 +         <AttributeEncoder xsi:type="SAML2String" 
 +          name="urn:oid:1.3.6.1.4.1.7391.5" friendlyName="staticDSAccountID" /> 
 +    <DefaultValue passThru="false"/> 
 +    <!-- Values DocuSign Prod --> 
 +    <!-- <ValueMap> 
 +        <ReturnValue>14219580-a3e2</ReturnValue> 
 +        <SourceValue caseSensitive="false">(.+)@imte.fr</SourceValue> 
 +    </ValueMap> --> 
 +    <ValueMap> 
 +        <ReturnValue>24035b51-b871-</ReturnValue> 
 +        <SourceValue caseSensitive="false">(.+)@imte.fr</SourceValue> 
 +    </ValueMap> 
 +    <ValueMap> 
 +        <ReturnValue>76919292-2f64</ReturnValue> 
 +        <SourceValue caseSensitive="false">(.+)@imte-atlantic.fr</SourceValue> 
 +    </ValueMap> 
 +... 
 +  <ValueMap> 
 +        <ReturnValue>557f440a-a124</ReturnValue> 
 +        <SourceValue caseSensitive="false">(.+)@mines-ste.fr</SourceValue> 
 +    </ValueMap> 
 + </AttributeDefinition> 
 +</code>
  
 ==== Mail rewriting ==== ==== Mail rewriting ====
Line 333: Line 392:
 https://wiki.shibboleth.net/confluence/display/IDP4/SAML2SSOConfiguration#55804373d9264505e7b248218c3ea26c3fd35a11 https://wiki.shibboleth.net/confluence/display/IDP4/SAML2SSOConfiguration#55804373d9264505e7b248218c3ea26c3fd35a11
  
-in relying-party.xml for our docusign entityIds (we have a prod and dev instances)  
  
 + from examples in the doc: 
 +  * https://wiki.shibboleth.net/confluence/display/IDP4/RelyingPartyConfiguration
 +I understand that I can specify the checkAddress attribute only for those "2nd Hand/backends" IDPs of my idp-proxy by listing them specifically in relying-party.xml :
 <code> <code>
-<!-- Container for any overrides you want to add. --> +<util:list id="shibboleth.RelyingPartyOverrides"> 
-    <util:list id="shibboleth.RelyingPartyOverrides"> + <bean id="proxyBackendIdps" parent="RelyingPartyByName"> 
- <bean id="DocuSign" parent="RelyingPartyByName" c:relyingPartyIds="#{{'https://https://account-d.docusign.com/organizations/secret8108/saml2', 'https://account.docusign.com/organizations/secret7004/saml2'}}"> +                 <constructor-arg name="relyingPartyIds">
-            <property name="profileConfigurations">+
                 <list>                 <list>
-                    <bean parent="SAML2.SSO" p:encryptAssertions="false" p:checkAddress="false" />+                        <value>https://idp.school1.fr/idp/shibboleth</value> 
 +                        <value>https://idp.school2.fr/idp/shibboleth</value> 
 +                        <value>https://multipass.school3.fr/idp/shibboleth</value>
                 </list>                 </list>
-            </property> +                </constructor-arg> 
-        </bean>+            <property name="profileConfigurations"
 +                <list> 
 +                    <bean parent="SAML2.SSO" p:checkAddress="false" /> 
 +                </list></property> </bean> </util:list>
 </code> </code>
docpublic/systemes/shibboleth/docusign.1623251544.txt.gz · Last modified: 2021/06/09 15:12 by adminjp
Show pageOld revisions
[unknown link type]Back to top
CC Attribution-Noncommercial-Share Alike 4.0 International
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0