shibboleth &mdash; Kevin Sandy https://kevinsandy.com/tag:shibboleth Thoughts, musings, ramblings, and rants Tue, 21 Apr 2026 10:41:24 +0000 https://i.snap.as/IC0yYUyI.png shibboleth &mdash; Kevin Sandy https://kevinsandy.com/tag:shibboleth Using objectGUID in Shibboleth IdP https://kevinsandy.com/using-objectguid-in-shibboleth-idp?pk_campaign=rss-feed <![CDATA[I was setting up a new Shibboleth IdP in my lab to run some tests. When integrating it with my Active Directory domain, I wanted to use the objectGUID attribute as a unique user identifier. It meets the requirements of being unique and not reusable, while also not exposing any undesirable information like objectSID would. !--more-- The problem is that objectGUID is stored as a binary attribute, so it must be handled differently in the IdP. Shibboleth has the ability to automatically handle binary attributes by listing them in a BinaryAttributes tag, but it does so by base64 encoding them. This isn't ideal because some SAML attributes, like a href="https://www.switch.ch/aai/support/documents/attributes/edupersonuniqueid/" target="_blank"eduPersonUniqueId/a, only allow alphanumeric characters. The solution I came up with was to allow Shibboleth to do the binary conversion, but then transform the base64 data to hex codes. The result is a user identifier that is unique, not reusable, and entirely composed of alphanumeric values. Here are the relevant parts of my attribute-resolver.xml setup. ?xml version="1.0" encoding="UTF-8"? <AttributeResolver xmlns="urn:mace:shibboleth:2.0:resolver" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd" !-- ========================================== -- !-- Attributes -- !-- ========================================== -- AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" InputAttributeDefinition ref="userIdentifier"/ /AttributeDefinition AttributeDefinition id="eduPersonUniqueId" xsi:type="Scoped" scope="%{idp.scope}" InputAttributeDefinition ref="userIdentifier"/ /AttributeDefinition AttributeDefinition id="userIdentifier" xsi:type="ScriptedAttribute" dependencyOnly="true" InputDataConnector ref="activeDirectory" attributeNames="objectGUID"/ Script <![CDATA[ var base64guid = objectGUID.getValues().get(0); var hexguid = ''; for ( var i=0; i < base64guid.length; i++ ) { var hex = base64guid.charCodeAt(i).toString(16); if ( hex.length == 1 ) { hex = '0' + hex; } hexguid += hex; } userIdentifier.addValue(hexguid); ]] /Script /AttributeDefinition !-- ========================================== -- !-- Data Connectors -- !-- ========================================== -- <DataConnector id="activeDirectory" xsi:type="LDAPDirectory" ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" baseDN="%{idp.attribute.resolver.LDAP.baseDN}" principal="%{idp.attribute.resolver.LDAP.bindDN}" principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS}" connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}" responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}" FilterTemplate <![CDATA[ %{idp.attribute.resolver.LDAP.searchFilter} ]] /FilterTemplate BinaryAttributesobjectGUID/BinaryAttributes ReturnAttributesgivenName sn displayName mail objectGUID/ReturnAttributes /DataConnector /AttributeResolver shibboleth]]> I was setting up a new Shibboleth IdP in my lab to run some tests. When integrating it with my Active Directory domain, I wanted to use the objectGUID attribute as a unique user identifier. It meets the requirements of being unique and not reusable, while also not exposing any undesirable information like objectSID would.

The problem is that objectGUID is stored as a binary attribute, so it must be handled differently in the IdP. Shibboleth has the ability to automatically handle binary attributes by listing them in a <BinaryAttributes> tag, but it does so by base64 encoding them. This isn't ideal because some SAML attributes, like eduPersonUniqueId, only allow alphanumeric characters.

The solution I came up with was to allow Shibboleth to do the binary conversion, but then transform the base64 data to hex codes. The result is a user identifier that is unique, not reusable, and entirely composed of alphanumeric values.

Here are the relevant parts of my attribute-resolver.xml setup.

<?xml version="1.0" encoding="UTF-8"?>
<AttributeResolver
        xmlns="urn:mace:shibboleth:2.0:resolver" 
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">

    <!-- ========================================== -->
    <!--      Attributes                            -->
    <!-- ========================================== -->

    <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}">
        <InputAttributeDefinition ref="userIdentifier"/>
    </AttributeDefinition>

    <AttributeDefinition id="eduPersonUniqueId" xsi:type="Scoped" scope="%{idp.scope}">
        <InputAttributeDefinition ref="userIdentifier"/>
    </AttributeDefinition>

    <AttributeDefinition id="userIdentifier" xsi:type="ScriptedAttribute" dependencyOnly="true">
        <InputDataConnector ref="activeDirectory" attributeNames="objectGUID"/>
        <Script>
            <![CDATA[
            var base64guid = objectGUID.getValues().get(0);
            var hexguid = '';
            for ( var i=0; i < base64guid.length; i++ ) {
                var hex = base64guid.charCodeAt(i).toString(16);
                if ( hex.length == 1 ) {
                    hex = '0' + hex;
                }
                hexguid += hex;
            }
            userIdentifier.addValue(hexguid);
            ]]>
        </Script>
    </AttributeDefinition>

    <!-- ========================================== -->
    <!--      Data Connectors                       -->
    <!-- ========================================== -->

    <DataConnector
            id="activeDirectory"
            xsi:type="LDAPDirectory"
            ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
            baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
            principal="%{idp.attribute.resolver.LDAP.bindDN}"
            principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
            useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS}"
            connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
            responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
        <FilterTemplate>
            <![CDATA[
            %{idp.attribute.resolver.LDAP.searchFilter}
            ]]>
        </FilterTemplate>
        <BinaryAttributes>objectGUID</BinaryAttributes>
        <ReturnAttributes>givenName sn displayName mail objectGUID</ReturnAttributes>
    </DataConnector>

</AttributeResolver>

#shibboleth

]]> https://kevinsandy.com/using-objectguid-in-shibboleth-idp Sat, 05 Nov 2022 13:20:55 +0000