<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" default-init-method="initialize" default-destroy-method="destroy"> <!-- ========================= SAML NameID Generation ========================= --> <!-- These generator lists handle NameID/Nameidentifier generation going forward. By default, transient IDs for both SAML versions are enabled. The commented examples are for persistent IDs and generating more one-off formats based on resolved attributes. The suggested approach is to control their use via release of the underlying source attribute in the filter policy rather than here, but you can set a property on any generator called "activationCondition" to limit use in the most generic way. Most of the relevant configuration settings are controlled using properties; an exception is the generation of arbitrary/custom formats based on attribute information, examples of which are shown below. --> <!-- SAML 2 NameID Generation --> <util:list id="shibboleth.SAML2NameIDGenerators"> <ref bean="shibboleth.SAML2TransientGenerator" /> <!-- Uncommenting this bean requires configuration in saml-nameid.properties. --> <!-- <ref bean="shibboleth.SAML2PersistentGenerator" /> --> <!-- <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:omitQualifiers="true" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {'mail'} }" /> --> <!-- -B- 20170320 Disable PersistentID for MicrosoftOnline and enable it for others--> <bean parent="shibboleth.SAML2PersistentGenerator"> <property name="activationCondition"> <bean parent="shibboleth.Conditions.NOT"> <constructor-arg> <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidates="#{{'urn:federation:MicrosoftOnline'}}" /> </constructor-arg> </bean> </property> </bean> <!-- -B- 20170319 from http://shibboleth.1660669.n2.nabble.com/Idp3-GAFE-td7626028.html --> <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {'Gprincipal'} }" > <property name="activationCondition" > <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="google.com" /> </property> </bean> <!-- -B- 20170320 --> <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" p:attributeSourceIds="#{ {'ImmutableID'} }"> <property name="activationCondition"> <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidates="#{{'urn:federation:MicrosoftOnline'}}" /> </property> </bean> <!-- -B- 20210217 --> <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {'email'} }" > <property name="activationCondition" > <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="https://sso.grammarly.com/saml/metadata" /> </property> </bean> </util:list> <!-- SAML 1 NameIdentifier Generation --> <util:list id="shibboleth.SAML1NameIdentifierGenerators"> <ref bean="shibboleth.SAML1TransientGenerator" /> <!-- <bean parent="shibboleth.SAML1AttributeSourcedGenerator" p:omitQualifiers="true" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {'mail'} }" /> --> </util:list> </beans>
CESNET, z. s. p. o.
Generála Píky 26
16000 Praha 6
info@cesnet.cz
Tel: +420 234 680 222
GSM: +420 602 252 531
support@cesnet.cz