You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A common issue, especially with ADFS, is that the attributes are returned using large name spaced strings, ie instead of 'uid' as the key you will get:
we should also allow any of the predefined attribute maps that come with simplesaml to be pre-applied before we use them. ie for ADFS most people might want to use say name2claim or something. At the moment this is hard coded to 'oid2name' here:
A workaround many people have done with ADFS is to configure a custom claim which just uses the short human readable key name instead of the long xmlsoap one. See an example of these custom claims here: #124 (comment)
The text was updated successfully, but these errors were encountered:
brendanheywood
changed the title
Support any attribute maps
Add config option for any existing attribute maps
Nov 22, 2018
I've implemented this, but in a more flexible way. I was originally intending to use the SSP attribute map proc, but after some testing it doesn't work in reverse unless you have an explicit reverse mapping file, eg
But there is not a claim2name reverse mapping for ADFS in SSP. I thought about adding it, but instead I've made a much more flexible and robust attribute simplification setting which should work with just about any odd shaped data that gets thrown at it and from any scheme or namespace.
What happened?
A common issue, especially with ADFS, is that the attributes are returned using large name spaced strings, ie instead of 'uid' as the key you will get:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
In theory this should still work, but it's a little awkward and makes for a lot of support queries. There are several workarounds and potential fixes:
Just use the long string name (there is a bug with these fields see Help: Custom claims for ADFS attribute mapping #124) but this needs to be changed in core for the mappings here https://github.com/moodle/moodle/blob/master/lib/authlib.php?utf8=%E2%9C%93#L1040
for the idp mapping this needs to be changed here: https://github.com/catalyst/moodle-auth_saml2/blob/MOODLE_33PLUS/settings.php#L130
we should also allow any of the predefined attribute maps that come with simplesaml to be pre-applied before we use them. ie for ADFS most people might want to use say name2claim or something. At the moment this is hard coded to 'oid2name' here:
https://github.com/catalyst/moodle-auth_saml2/blob/MOODLE_33PLUS/config/config.php#L82-L83
A workaround many people have done with ADFS is to configure a custom claim which just uses the short human readable key name instead of the long xmlsoap one. See an example of these custom claims here: #124 (comment)
The text was updated successfully, but these errors were encountered: