config/default/config.ADFSTk.default.xml
<?xml version="1.0" encoding="UTF-8"?>
<configuration> <ConfigVersion>1.3</ConfigVersion> <SPHashFile>SPHash.xml</SPHashFile> <MetadataCacheFile>metadata.cached.xml</MetadataCacheFile> <LocalRelyingPartyFile>get-ADFSTkLocalManualSPSettings.ps1</LocalRelyingPartyFile> <MetadataPrefix/> <MetadataPrefixSeparator>:</MetadataPrefixSeparator> <eduPersonPrincipalNameRessignable/> <Logging useEventLog="true"> <LogName>ADFSToolkit</LogName> <Source>Import-ADFSTkMetadata</Source> </Logging> <metadataURL/> <signCertFingerprint/> <claimsProviders> <claimsProvider>Active Directory</claimsProvider> </claimsProviders> <staticValues> <o/> <co/> <c/> <schacHomeOrganization/> <norEduOrgAcronym/> <schacHomeOrganizationType>urn:schac:homeOrganizationType:eu:educationInstitution</schacHomeOrganizationType> <!-- This value is for EU higher education institution, other allowed values are: urn:schac:homeOrganizationType:eu:educationInstitution urn:schac:homeOrganizationType:int:NREN urn:schac:homeOrganizationType:int:universityHospital urn:schac:homeOrganizationType:int:NRENAffiliate urn:schac:homeOrganizationType:int:other --> <ADFSExternalDNS/> </staticValues> <storeConfig> <stores> <store name="Active Directory" storetype="Active Directory" issuer="AD AUTHORITY" type="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" order="1" /> <!--<store name="Custom Store" storetype="Custom Store" issuer="AD AUTHORITY" type="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" order="2" />--> <!-- <store name="SQL" storetype="SQL" issuer="AD AUTHORITY" type="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" order="3"> <query>SELECT CONVERT(varchar(10), Id) FROM [LiUDB].[dbo].[EmployeeIdGen] WHERE uid = REPLACE({0}, 'TEST\', '')</query> </store> --> </stores> </storeConfig> <transformRules> <rule name="ADFSTkExtractSubjectUniqueId" originClaim="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" /> </transformRules> <attributes> <attribute type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" store="Active Directory" name="givenname" /> <attribute type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" store="Active Directory" name="sn" /> <attribute type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayname" store="Active Directory" name="displayname" /> <attribute type="http://schemas.xmlsoap.org/claims/CommonName" store="Active Directory" name="displayname" /> <attribute type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" store="Active Directory" name="name" /> <attribute type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" store="Active Directory" name="mail" /> <!-- eduPersonAffilation and eduPersonScopedAffiliation settings Scenario A. Static assignement with all active users declared 'member' (default) Scenario B. Dynamic assignment based on GroupSID Scenario C. Attribute ssignment based on presence of eduPersonAffiliation in directory Note that EXAMPLE.COM is used where your domain scope is needed for easy search and replace for your domain. This file is a template so commented out examples will NOT be updated --> <!-- Scenario A. Static assignment (default, comment out if you enable another technique <attribute type="urn:mace:dir:attribute-def:eduPersonAffiliation" store="Static" > <value>member</value> </attribute> end Scenario A. Static assignment --> <!-- note that in this template this field will be dynamically updated by eduPersonAfilliation above by new-ADFSTkConfiguration baking in the domain <attribute type="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" store="Static" > </attribute> end Scenario A. Static assignment --> <!-- Scenario B. Dynamic assignment <attribute type="urn:mace:dir:attribute-def:eduPersonAffiliation" store="Active Directory" name="eduPersonAffiliation" useGroups="true" claimOrigin="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid"> <group name="SID-FOR-FACULTY-GROUP" value="faculty"/> <group name="SID-FOR-STAFF-GROUP" value="staff"/> <group name="SID-FOR-EMPLOYEE-GROUP" value="employee"/> <group name="SID-FOR-STUDENT-GROUP" value="student"/> <group name="SID-FOR-ALUM-GROUP" value="alum"/> <group name="SID-FOR-AFFILIATE-GROUP" value="affiliate"/> <group name="SID-FOR-MEMBER-GROUP" value="member"/> <group name="SID-FOR-LIBRARYWALKIN-GROUP" value="library-walk-in"/> </attribute> <attribute type="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" store="Active Directory" name="eduPersonScopedAffiliation" useGroups="true" claimOrigin="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" > <group name="SID-FOR-FACULTY-GROUP" value="faculty@EXAMPLE.COM"/> <group name="SID-FOR-STAFF-GROUP" value="staff@EXAMPLE.COM"/> <group name="SID-FOR-EMPLOYEE-GROUP" value="employee@EXAMPLE.COM"/> <group name="SID-FOR-STUDENT-GROUP" value="student@EXAMPLE.COM"/> <group name="SID-FOR-ALUM-GROUP" value="alum@EXAMPLE.COM"/> <group name="SID-FOR-AFFILIATE-GROUP" value="affiliate@EXAMPLE.COM"/> <group name="SID-FOR-MEMBER-GROUP" value="member@EXAMPLE.COM"/> <group name="SID-FOR-LIBRARYWALKIN-GROUP" value="library-walk-in@EXAMPLE.COM"/> </attribute> end Scenario B. Dynamic assignment --> <!-- Scenario C. Attribute assignment --> <attribute type="urn:mace:dir:attribute-def:eduPersonAffiliation" store="Active Directory" name="eduPersonAffiliation"> <restrictedvalue>faculty</restrictedvalue> <restrictedvalue>staff</restrictedvalue> <restrictedvalue>employee</restrictedvalue> <restrictedvalue>student</restrictedvalue> <restrictedvalue>alum</restrictedvalue> <restrictedvalue>affiliate</restrictedvalue> <restrictedvalue>member</restrictedvalue> <restrictedvalue>library-walk-in</restrictedvalue> </attribute> <attribute type="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" store="Active Directory" name="eduPersonScopedAffiliation" > </attribute> <!-- end Scenario C. Attribute assignment --> <!-- Attribute filter pivoting on allowedRegistrationAuthorities - useful for GDPR purposes Absence of allowedRegsitrationAuthorities - no action taken Presence of allowedRegistrationAuthorities - attribute filters to be present in only said RA (one or more) --> <attribute type="urn:mace:dir:attribute-def:eduPersonEntitlement" store="Active Directory" name="edupersonentitlement" useGroups="true"> <group name="employee" value="urn:mace:terena.org:tcs:personal-user" /> <group name="employee" value="urn:mace:terena.org:tcs:escience-user" /> <group name="Terena Personal Certificate Admin" value="urn:mace:terena.org:tcs:personal-admin" /> <group name="Terena Personal Certificate Admin" value="urn:mace:terena.org:tcs:escience-admin" /> </attribute> <!-- Attention! Never send any AssuranceLevel(s) your institution isn't certified for --> <attribute type="urn:mace:dir:attribute-def:eduPersonAssurance" store="Static"> <value>http://www.EXAMPLE.COM/policy/assurance/al1</value> <value>http://www.EXAMPLE.COM/policy/assurance/al2</value> </attribute> <attribute type="urn:mace:dir:attribute-def:eduPersonUniqueID" store="Active Directory" name="objectGUID" /> <attribute type="http://schemas.xmlsoap.org/claims/samaccountname" store="Active Directory" name="samaccountname" /> <attribute type="http://schemas.xmlsoap.org/claims/Group" store="Active Directory" name="tokenGroups" /> </attributes> </configuration> |