0

I have configured multiple (HTTP Form Adapter) IdP Adapters for a SP connection (IdP configuration). User Attributes are fetched from the datastore (LDAP). Two DITs are configured in LDAP. Therefore each IdP Adapter is configured with a DIT. I wanted to use multiple adapters only because I cannot use same attribute names for multiple organizations.Eg : Adapter1 is configured with search base as dc=example1,dc=com and Adapter2 is configured with search base as dc=example2,dc=com.

When the IdP SSO url is hit, it displays a page for adapter selection.When the user enters the username/password, based on the inputs, adapter selection should be enabled automatically instead of selecting it manually/appending the particular adapter id as a query parameter.

I found that automatic adapter selection can be enabled using Adapter selector. But the existing adapters such as CIDR and saml authn context adapter doesn't apply to my requirement. Because it is either based on the request IP address/context set by SP. I have gone through the composite adapter. But I couldn't find detailed documentation on integrating the composite adapter with the SP connection.

Could anyone please let me know if my approach is right? If so please direct me on integration.If wrong, suggest me an approach.

Thanks, Aswini J

Ashwini
  • 381
  • 6
  • 23
  • I'm confused by your setup. Is there a reason you cannot use 2 PCV (each with it's own search base) with a single Adapter? In previous questions you stated its a single Data Source with 2 suffixes. While the DN's might be different, isn't the actual schema the same? – Ian Jun 25 '15 at 17:09
  • Yes, it is a single Data store. But when I map LDAP attributes with the attribute names specified in Attribute Contract step, I need to get all attributes for a user corresponding to an organization. I need to maintain the same attribute names. For e.g., phone no is the common attribute I would like to use for two different organizations. When user from xyz.com logs in, his/her phone no should be mapped to attribute names "phone no". To cut it short, attribute names should be generic across multiple organizations. Please help. – Ashwini Jun 26 '15 at 08:07

2 Answers2

1

I think you can do this 1 of two ways. You can do this with 1 Adapter with 2 PCV or 2 Adapters (each with 1 PCV) that are then combined into a single Composite Adapter that are then used in your SP Connection if your goal is to remove the Idp Adapter selection decision.

The issue you will run into is if users are logging in with the equivalent of "uid=joe" to your HTMLForm Adapter and "uid=joe" exists in both of your LDAP suffix. How do you know which "joe" is the right one? You may need to ensure that login identifier is unique (email?). However, that is merely how you can setup your user authentication. It won't really help you for your Attribute Contract Fulfillment where you'll need to search both LDAP suffix of your single Data Source to retrieve the user's attributes (e.g., telephoneNumber).

You'll need to specify "Retrieve additional attributes from multiple data stores using one mapping" on the Assertion Mapping screen and then do a lookup against both suffix of your single Data Source for "telephoneNumber". Assuming the user's identity attribute you are searching on is unique across both suffix (email?) you'll get a null value against one or the other suffix searches (since the user will exist in one or the other).

When you get to your Attribute Contract Fulfillment screen, you'll need to map the attribute "phone no" for your Assertion to an Expression that inspects the results from the 2 Data Source lookups, discards the "null" result for telephoneNumber and inserts the valid search result.

Ian
  • 4,227
  • 18
  • 19
  • I have specified "Retrieve additional attributes from multiple data stores using one mapping" and I am doing look up against both suffix of a single data source. But still the attribute contract fulfillment cannot have repetitive names. Eg: organization is the attribute which should be unique. For organization, we can select only one data source at a time and map the corresponding ldap value. How does it solve my problem? – Ashwini Jun 26 '15 at 16:51
  • You'll need to use an OGNL Expression to get a single value. Expressions are documented in the PF Admin Guide – Ian Jun 26 '15 at 16:53
  • I was completely unaware that we can achieve through OGNL Expressions. Thanks a lot for your inputs and time:):) – Ashwini Jun 29 '15 at 12:15
1

you can simply use multiple data source. Configure the filter of the other Data source form the unique value of first Data source. ex : uid=${userId} .

Balamurugan Thiru
  • 26
  • 1