Differences

This shows you the differences between two versions of the page.

Link to this comparison view

--- docpublic:systemes:shibboleth:docusign [2021/06/09 15:15]
adminjp [Special case when unsing NAT ( checkAddress="false" )]
+++ docpublic:systemes:shibboleth:docusign [2023/10/24 14:46] (current)
adminjp [shib IDP attribute-resolver]
@@ Line 229: / Line 229: @@
 ===== shib IDP attribute-resolver =====
-In the IDP we use the **attribute-resolver-ldap.xml** file to define our customized for DocuSign for NameID mail attribute and permission (employeeType)  attribute .
+In the IDP we use the **attribute-resolver-ldap.xml** (or attribute-resolver.xml)  file to define our customized for DocuSign for NameID mail attribute and permission (employeeType)  attribute .
 <code>
 [root@idptest conf]# grep attribute-resolver-ldap.xml services.xml
         <value>%{idp.home}/conf/attribute-resolver-ldap.xml</value>
 </code>
+==== mapped attributes ====
+in order to map DocuSign domains ID to our mail domains we need to map values
+attribute-resolver.xml mapped employeType
+<code>
+<AttributeDefinition id="employeeType" xsi:type="Mapped">
+   <InputDataConnector ref="passthroughAttributes" attributeNames="mail" />
+    <DefaultValue passThru="false"/>
+<!-- Values Prod -->
+     <ValueMap>
+        <ReturnValue>1601</ReturnValue>
+        <SourceValue caseSensitive="false">(.+)@imte.fr</SourceValue>
+    </ValueMap>
+    <ValueMap>
+        <ReturnValue>1604</ReturnValue>
+        <SourceValue caseSensitive="false">(.+)@imte-atlantic.fr</SourceValue>
+    </ValueMap>
+...
+ <ValueMap>
+        <ReturnValue>16049193</ReturnValue>
+        <SourceValue caseSensitive="false">(.+)@mines-ste.fr</SourceValue>
+    </ValueMap>
+ </AttributeDefinition>
+</code>
+idem for staticDSAccountID
+<code>
+<AttributeDefinition id="staticDSAccountID" xsi:type="Mapped">
+   <InputDataConnector ref="passthroughAttributes" attributeNames="mail" />
+         <AttributeEncoder xsi:type="SAML2String"
+          name="urn:oid:1.3.6.1.4.1.7391.5" friendlyName="staticDSAccountID" />
+    <DefaultValue passThru="false"/>
+    <!-- Values DocuSign Prod -->
+    <!-- <ValueMap>
+        <ReturnValue>14219580-a3e2</ReturnValue>
+        <SourceValue caseSensitive="false">(.+)@imte.fr</SourceValue>
+    </ValueMap> -->
+    <ValueMap>
+        <ReturnValue>24035b51-b871-</ReturnValue>
+        <SourceValue caseSensitive="false">(.+)@imte.fr</SourceValue>
+    </ValueMap>
+    <ValueMap>
+        <ReturnValue>76919292-2f64</ReturnValue>
+        <SourceValue caseSensitive="false">(.+)@imte-atlantic.fr</SourceValue>
+    </ValueMap>
+...
+  <ValueMap>
+        <ReturnValue>557f440a-a124</ReturnValue>
+        <SourceValue caseSensitive="false">(.+)@mines-ste.fr</SourceValue>
+    </ValueMap>
+ </AttributeDefinition>
+</code>
 ==== Mail rewriting ====
@@ Line 332: / Line 391: @@
 https://wiki.shibboleth.net/confluence/display/IDP4/SAML2SSOConfiguration#55804373d9264505e7b248218c3ea26c3fd35a11
-in relying-party.xml for our docusign entityIds (we have a prod and dev instances)
  from examples in the doc:
   * https://wiki.shibboleth.net/confluence/display/IDP4/RelyingPartyConfiguration
-I understand that I can specify the checkAddress attribute only for those "2nd Hand/backends" IDPs of my idp-proxy by listing them specifically :
+I understand that I can specify the checkAddress attribute only for those "2nd Hand/backends" IDPs of my idp-proxy by listing them specifically in relying-party.xml :
 <code>
 <util:list id="shibboleth.RelyingPartyOverrides">

docpublic/systemes/shibboleth/docusign.1623251741.txt.gz · Last modified: 2021/06/09 15:15 by adminjp

Show page Old revisions

[unknown link type]Back to top