0

I have a SP using Shibboleth as IDP for SSO, and Shibboleth uses Active Directory as User store.

In SP configuration, it maps an attribute "urn:oid:2.16.840.1.113730.3.1.3" to a local attribute.

I exported all objects from AD but didn't find any attributes associated with 2.16.840.1.113730.3.1.3. But when I check SAML log in SP, I did find values of "EmployeeID" from AD are filled into this attribute, but AD attribute "EmployeeID" has different AttributeID(1.2.840.113556.1.4.35).

I used the following 2 cmds to export AD schema objects, neither of them shows 2.16.840.1.113730.3.1.3:

$schemaPath = (Get-ADRootDSE).schemaNamingContext
Get-ADObject -filter * -SearchBase $schemaPath -Properties *|select-object lDAPDisplayName,attributeID

ldifde -f xxx.ldif cn=Schema,CN=Configuration,DC=xxxx,DC=xxxx,DC=edu

Anybody knows why 2.16.840.1.113730.3.1.3 doesn't show up in schema query but Shibboleth can query its values?

Thank you

wibbleman
  • 3
  • 2
  • This says it's `employeeNumber`, not `employeeID`: https://ldapwiki.com/wiki/2.16.840.1.113730.3.1.3 – Gabriel Luci Jul 01 '22 at 12:02
  • Thanks Gabriel. Yes, all online docs say 2.16.840.1.113730.3.1.3 is employeeNumber, but I cannot find this attributeID in my AD. Instead, Shibboleth retrieves values of "employeeID" from AD to 2.16.840.1.113730.3.1.3 in SAML response. is from RFC2798 and part of object InetOrgPerson and "employeeID" is in "Users" object which is from Microsoft. I wonder if there any "Hidden" link between 2.16.840.1.113730.3.1.3 and EmployeeID in AD. I noticed "2.16.840.1.113730.3.1.3" – wibbleman Jul 01 '22 at 15:08

0 Answers0