Group Membership
Beginning in July 2018, we have started offering an attribute that will pass Wolftech AD group memberships to our Service Provider (SP) clients that request them.
This attribute uses the standard LDAP name and OID:
| AttributeID | SAML2 Name | Suggested ENV Name |
|---|---|---|
| isMemberOf | urn:oid:1.3.6.1.4.1.5923.1.5.1.1 | SHIB_MEMBEROF |
We have also added a shorter version that only returns the CN part of the group memberships, using a custom attribute name:
| AttributeID | SAML2 Name | Suggested ENV Name |
|---|---|---|
| ncsuADGroups | ncsuADGroups | SHIB_GROUPS |
Values
This is a multi-valued attribute which can list many groups for some users. For example, one OIT employee currently has 19 group memberships.
Group names in
isMemberOfare returned in their fully-qualified distinguished name (DN) format. For example:CN=WT-NCSU-All Staff,OU=Managed Groups,OU=NCSU,DC=wolftech,DC=ad,DC=ncsu,DC=edu
Group names in
ncsuADGroupsonly return the common name (CN) portion of the group names. For example:WT-NCSU-All Staff
We can do filtering on the group list. This will allow us to only release a subset of the full list of groups that is relevant to your application. For example, a request for
CN=OIT-.*would only return the groups that begin with the OIT department in their name. You may also request specific groups by listing their full DN names.
Limitations
Groups are only provided by our primary Unity Identity Provider (IdP), shib.ncsu.edu.
Groups are only queried from Wolftech AD. Users with partially disabled Unity accounts are moved to another AD server and will not have groups.
Groups are only evaluated one-level deep. For example, if user01 member of smallgroup02, and smallgroup02 is a member of biggroup03; then shibboleth will report membership in smallgroup02 only. AD requires a special connection setup to evaluate nested groups that Shibboleth does not support. 1
Requesting These Attributes
SP owners must request isMemberOf and/or ncsuADGroups as their attributes when filling out the access request form go.ncsu.edu/shib-access-request, in section 1. This will not be released except upon request.
SP's that are already registered may request these attributes be added by sending an email to shibboleth-help@ncsu.edu. Be sure to include your SP entityID that needs to receive the attributes.
In either case, please include details on how you plan to use the attribute. Also consider whether you need the full list of all groups, or a subset that we can filter before passing along.
Using the Attributes
If you have an existing SP that will add this attribute, you will need to make sure you have added an entry for it in your Attribute Map file. Sites that are using our suggested mappings can simply download the updated file from sample30-attribute-map.xml and replace the copy found on your server at /etc/shibboleth/attribute-map.xml .
If you want to manually add the mapping, edit your /etc/shibboleth/attribute-map.xml file and add an entry like this to it:
<Attribute
name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1"
id="SHIB_MEMBEROF" />
<Attribute
name="ncsuADGroups"
id="SHIB_GROUPS" />
If you are not using our suggested mappings, you can change the
id portions of entry above to a name of your choice. The SP will
return that name as an environment variable to your programs.
After you have updated your map file, restart shibd and test to verify the new attribute is being passed in the environment.
Each group in the list will be separated by a semicolon when the list is passed through the environment. For example, when testing with PHP you might see:
[SHIB_MEMBEROF] => CN=WT-OIT-Shared Services,OU=Managed Groups,OU=NCSU,DC=wolftech,DC=ad,DC=ncsu,DC=edu;CN=WT-NCSU-All Staff,OU=Managed Groups,OU=NCSU,DC=wolftech,DC=ad,DC=ncsu,DC=edu;...
[SHIB_GROUPS] => WT-OIT-Shared Services;WT-NCSU-All Staff;...
In Htaccess Files
Here's a simple example of how to write an .htaccess file entry to require users that are members of one of three AD groups.
AuthType shibboleth
ShibRequestSetting requireSession true
require shib-attr SHIB_MEMBEROF "CN=NCSU-B-Unity Users,OU=Managed Groups,OU=NCSU,DC=wolftech,DC=ad,DC=ncsu,DC=edu"
require shib-attr SHIB_MEMBEROF "CN=NCSU-D-Unity Users,OU=Managed Groups,OU=NCSU,DC=wolftech,DC=ad,DC=ncsu,DC=edu"
require shib-attr SHIB_MEMBEROF "CN=NCSU-J-Unity Users,OU=Managed Groups,OU=NCSU,DC=wolftech,DC=ad,DC=ncsu,DC=edu"
It is not recommended to use SHIB_GROUPS for htaccess control unless you can be certain that
multiple groups with the same CN will not exist in different OUs.
See OBJECT scope search query thread for technical details. ↩