Page Comparison - Manual attribute releases with ADFS Toolkit (v.14 vs v.15) - Swamid

...

The PowerShell code provided for each SP should be copied to the get-ADFSTkManualSPSettings.ps1 script in the /config folder. Please note the additional steps might also be needed.

Terena

    ### Terena.org/sp
        $TransformRules = [Ordered]@{}
        $TransformRules.'transient-id' = $AllTransformRules.'transient-id'
        $TransformRules.eduPersonTargetedID = $AllTransformRules.eduPersonTargetedID
        $TransformRules.eduPersonPrincipalName = $AllTransformRules.eduPersonPrincipalName
        $TransformRules.mail = $AllTransformRules.mail
        $TransformRules.displayName = $AllTransformRules.displayName
        $TransformRules.givenName = $AllTransformRules.givenName
        $TransformRules.sn = $AllTransformRules.sn
        $TransformRules.eduPersonScopedAffiliation = $AllTransformRules.eduPersonScopedAffiliation
        $IssuanceTransformRuleManualSP["https://terena.org/sp"] = $TransformRules
    ###

Orcid

    ### orcid.org
        $TransformRules = [Ordered]@{}
        $TransformRules.eduPersonUniqueID = $AllTransformRules.eduPersonUniqueID
        $IssuanceTransformRuleManualSP["https://orcid.org/saml2/sp/1"] = $TransformRules
    ###

Sectigo (Cert-manager)

Harica

Harica Sectigo needs eduPersonEntitlement = urnurn:mace:terena.org:tcs:personal-user for all AL2 users.

Below is an example where the AL2 is retrieved from an AD group. Change the code based on how AL2 is stored in your institution.

They also need eduPersonTargetedId. In the example below norEduPersonLIN is used. If you don't have norEduPersonLIN, you can sue primarysid or any other unique, persistent identifier.

### Harica PROD

$ManualSPSettings = @{
        TransformRules     ### Cert-manager (Sectigo)
        $TransformRules = [Ordered]@{}
   }

$ManualSPSettings.TransformRules.givenName = $AllTransformRules.givenName
$ManualSPSettings.TransformRules.sn = $AllTransformRules.sn
$ManualSPSettings.TransformRules.mail = $AllTransformRules.mail
$ManualSPSettings.TransformRules.'transient-id' = $AllTransformRules.'transient-id'
$ManualSPSettings.TransformRules.eduPersonPrimaryAffiliation  $TransformRules= $AllTransformRules.eduPersonPrimaryAffiliation
$ManualSPSettings.TransformRules.eduPersonPrincipalName = $AllTransformRules.eduPersonPrincipalName
$ManualSPSettings.TransformRules.schacHomeOrganization = $AllTransformRules.schacHomeOrganization

$ManualSPSettings.TransformRules.eduPersonTargetedId = [PSCustomObject]@{
        $TransformRules.displayName = $AllTransformRules.displayName
        $TransformRules.givenName = $AllTransformRules.givenName
        $TransformRules.mail = $AllTransformRules.mail
        $TransformRules.sn = $AllTransformRules.sn
        $TransformRules.schacHomeOrganization = $AllTransformRules.schacHomeOrganization
        $TransformRulesRule=@"

        @RuleName = "Transform norEduPersonLIN"
        c:[Type == "urn:mace:dir:attribute-def:norEduPersonLIN"]
        => issue(Type = "urn:oid:1.3.6.1.4.1.5923.1.1.1.10",
                 Value = c.Value,
                 Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
"@
        Attribute="urn:mace:dir:attribute-def:norEduPersonLIN"
    }
$ManualSPSettings.TransformRules.eduPersonEntitlement = [PSCustomObject]@{
              Rule=@"
                 @RuleName = "Set eduPersonEntitlement for AL2 users"
                               c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value == "<group name containing all AL2 users>"]
                            => issue(Type = "urn:oid:1.3.6.1.4.1.5923.1.1.1.7", Value = "urn:mace:terena.org:tcs:personal-user", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
                           "@
                 Attribute="http://schemas.xmlsoap.org/claims/Group"
        }
        
        }

$IssuanceTransformRuleManualSP["https://www.harica.gr/simplesamlphp/module.php/saml/sp/metadata.php/pki-grnet-sp"] = $ManualSPSettings

### Harica STAGING
$IssuanceTransformRuleManualSP["https://cm-stg.harica.gr/simplesamlphp/module.php/saml/sp/metadata.php/harica-cm-stg-sp"] = $ManualSPSettings

### Harica DEV
$IssuanceTransformRuleManualSP["https://cert-manager.com/shibbolethcm-dev.harica.gr/saml/module.php/saml/sp/metadata.php/harica-cm-dev-sp"] = $TransformRules$ManualSPSettings
    
###

InAcademia

    ### Inacademia
        $TransformRules = [Ordered]@{}
        $TransformRules.transientid = [PSCustomObject]@{
        Rule=@"
            @RuleName = "synthesize persistent-id"
                c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"]
                => add(store = "_OpaqueIdStore", types = ("urn:adfstk:persistentid"), query = "{0};{1};{2}", param = "ppid", param = c.Value, param = c.OriginalIssuer);
            @RuleName = "issue persistent-id"
                c:[Type == "urn:adfstk:persistentid"]
                => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", 
                Issuer = c.Issuer, 
                OriginalIssuer = c.OriginalIssuer, 
                Value = c.Value, ValueType = c.ValueType, 
                Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", 
                Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "[ReplaceWithSPNameQualifier]", 
                Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://$($Settings.configuration.StaticValues.ADFSExternalDNS)");
         "@
         Attribute=""
         }
         $IssuanceTransformRuleManualSP["https://inacademia.org/metadata/inacademia-simple-validation.xml"] = $TransformRules
    ###

...

Versions Compared

Old Version 14

New Version 15

Key

Terena

Orcid

Sectigo (Cert-manager)

Harica

InAcademia