If you wish to define eduPersonAffiliation based on groups within your directory to following is an example script that will allow you to do so. In this case we have an ldap attribute storing group information called distinguishedName. For your directory this might be memberOf or various other attributes.
The following assumes that values of distinguishedName take the form:
CN=Bradley Beddoes,OU=STAFF,DC=EDU,DC=AU
As you can see the below code matches on the partial OU=STAFF (and student/other). These comparisons are case sensitive.
<resolver:AttributeDefinition id="distinguishedName" xsi:type="ad:Simple" sourceAttributeID="distinguishedName">
<resolver:Dependency ref="myLDAP" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
id="eduPersonAffiliation"
sourceAttributeID="eduPersonAffiliation">
<!-- Dependency that provides the source attribute. -->
<resolver:Dependency ref="distinguishedName" />
<!-- SAML 1 and 2 encoders for the attribute. -->
<resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:eduPersonAffiliation" />
<resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
friendlyName="eduPersonAffiliation" />
<!-- The script, wrapped in a CDATA section so that special XML characters don't need to be removed -->
<Script><![CDATA[
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
// Create attribute to be returned from definition
eduPersonAffiliation = new BasicAttribute("eduPersonAffiliation");
// Add at least one value
eduPersonAffiliation.getValues().add("affiliate");
// If the user has group membership
if (typeof distinguishedName != "undefined" && distinguishedName != null ){
// The go through each group membership and add the appropriate affiliation
// The IdP will remove duplicate values so we don't need to worry about that here
for ( i = 0; distinguishedName != null && i < distinguishedName.getValues().size(); i++ ){
value = distinguishedName.getValues().get(i);
if (value.indexOf("OU=STUDENTS") > 0){
eduPersonAffiliation.getValues().add("student");
}
if (value.indexOf("OU=STAFF") > 0){
eduPersonAffiliation.getValues().add("staff");
}
if (value.indexOf("OU=OTHERS") > 0){
eduPersonAffiliation.getValues().add("affiliate");
}
}
}
]]></Script>
</resolver:AttributeDefinition>
The following debug statements can be added to your script and will output data in your Tomcat log files catalina.localhost.<date>.log or similar . BE SURE TO REMOVE THESE ONCE YOUR TESTING IS COMPLETE.
Debug for use before for loop
print("\n\n------------DEBUG START SCRIPT CDATA");
print("\nSCRIPT DEBUG: " + (distinguishedName != null));
print("\nSCRIPT DEBUG: " + distinguishedName.getValues());
Debug for use within for loop
print("\nSCRIPT DEBUG: Processing distinguishedName value: " + value);