config/default/en-US/config.ADFSTk.default_en.xml
|
<?xml version="1.0"?>
<configuration> <ConfigVersion>1.0</ConfigVersion> <WorkingPath>c:\Program Files\WindowsPowerShell\Modules\ADFSToolkit</WorkingPath> <ConfigDir>/config</ConfigDir> <CacheDir>/cache</CacheDir> <SPHashFile>SPHash.xml</SPHashFile> <MetadataCacheFile>metadata.cached.xml</MetadataCacheFile> <LocalRelyingPartyFile>get-ADFSTkLocalManualSPSettings.ps1</LocalRelyingPartyFile> <MetadataPrefix>A prefix that are added to the Service Provider�s name in AD FS Console</MetadataPrefix> <MetadataPrefixSeparator>:</MetadataPrefixSeparator> <Logging useEventLog="true"> <LogName>ADFSToolkit</LogName> <Source>Import-ADFSTkMetadata</Source> </Logging> <metadataURL>The URL to the federated metadata</metadataURL> <signCertFingerprint>The fingerprint of the certificate that signs the metadata</signCertFingerprint> <claimsProviders> <claimsProvider>Active Directory</claimsProvider> </claimsProviders> <staticValues> <o>The name of your institution</o> <co>The name of your Country</co> <c>Country Code</c> <schacHomeOrganization>The DNS name of your institution</schacHomeOrganization> <norEduOrgAcronym>The short name of your institution</norEduOrgAcronym> <schacHomeOrganizationType>urn:schac:homeOrganizationType:eu:educationInstitution</schacHomeOrganizationType> <!-- This value is for EU higher education institution, other allowed values are: urn:schac:homeOrganizationType:eu:educationInstitution urn:schac:homeOrganizationType:int:NREN urn:schac:homeOrganizationType:int:universityHospital urn:schac:homeOrganizationType:int:NRENAffiliate urn:schac:homeOrganizationType:int:other --> <ADFSExternalDNS>The DNS name of your ADFS</ADFSExternalDNS> </staticValues> <storeConfig> <stores> <store name="Active Directory" issuer="AD AUTHORITY" type="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" order="1" /> <!--<store name="Custom Store" issuer="AD AUTHORITY" type="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" order="2" />--> <!-- <store name="SQL" issuer="SQL" type="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" order="3"> <query>SELECT CONVERT(varchar(10), Id) FROM [LiUDB].[dbo].[EmployeeIdGen] WHERE uid = {0}</query> </store> --> </stores> <transformRules> <rule name="ADFSTkExtractSubjectUniqueId" originClaim="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" /> </transformRules> <attributes> <attribute type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" store="Active Directory" name="givenname" /> <attribute type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" store="Active Directory" name="sn" /> <attribute type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayname" store="Active Directory" name="displayname" /> <attribute type="http://schemas.xmlsoap.org/claims/CommonName" store="Active Directory" name="cn" /> <attribute type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" store="Active Directory" name="name" /> <attribute type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" store="Active Directory" name="mail" /> <!-- eduPersonAffilation and eduPersonScopedAffiliation settings Scenario A. Static assignement with all active users declared 'member' (default) Scenario B. Dynamic assignment based on GroupSID Scenario C. Attribute ssignment based on presence of eduPersonAffiliation in directory Note that EXAMPLE.COM is used where your domain scope is needed for easy search and replace for your domain. This file is a template so commented out examples will NOT be updated --> <!-- Scenario A. Static assignment (default, comment out if you enable another technique --> <attribute type="urn:mace:dir:attribute-def:eduPersonAffiliation" store="Static" > <value>member</value> </attribute> <!-- note that in this template this field will be dynamically updated by eduPersonAfilliation above by new-ADFSTkConfiguration baking in the domain --> <attribute type="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" store="Static" > </attribute> <!-- end Scenario A. Static assignment --> <!-- Scenario B. Dynamic assignment <attribute type="urn:mace:dir:attribute-def:eduPersonAffiliation" store="Active Directory" name="eduPersonAffiliation" useGroups="true" claimOrigin="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid"> <group name="SID-FOR-FACULTY-GROUP" value="faculty"/> <group name="SID-FOR-STAFF-GROUP" value="staff"/> <group name="SID-FOR-EMPLOYEE-GROUP" value="employee"/> <group name="SID-FOR-STUDENT-GROUP" value="student"/> <group name="SID-FOR-ALUM-GROUP" value="alum"/> <group name="SID-FOR-AFFILIATE-GROUP" value="affiliate"/> <group name="SID-FOR-MEMBER-GROUP" value="member"/> <group name="SID-FOR-LIBRARYWALKIN-GROUP" value="library-walk-in"/> </attribute> <attribute type="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" store="Active Directory" name="eduPersonScopedAffiliation" useGroups="true" claimOrigin="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" > <group name="SID-FOR-FACULTY-GROUP" value="faculty@EXAMPLE.COM"/> <group name="SID-FOR-STAFF-GROUP" value="staff@EXAMPLE.COM"/> <group name="SID-FOR-EMPLOYEE-GROUP" value="employee@EXAMPLE.COM"/> <group name="SID-FOR-STUDENT-GROUP" value="student@EXAMPLE.COM"/> <group name="SID-FOR-ALUM-GROUP" value="alum@EXAMPLE.COM"/> <group name="SID-FOR-AFFILIATE-GROUP" value="affiliate@EXAMPLE.COM"/> <group name="SID-FOR-MEMBER-GROUP" value="member@EXAMPLE.COM"/> <group name="SID-FOR-LIBRARYWALKIN-GROUP" value="library-walk-in@EXAMPLE.COM"/> </attribute> end Scenario B. Dynamic assignment --> <!-- Scenario C. Attribute assignment <attribute type="urn:mace:dir:attribute-def:eduPersonAffiliation" store="Active Directory" name="eduPersonAffiliation"> <restrictedvalue>faculty</restrictedvalue> <restrictedvalue>staff</restrictedvalue> <restrictedvalue>employee</restrictedvalue> <restrictedvalue>student</restrictedvalue> <restrictedvalue>alum</restrictedvalue> <restrictedvalue>affiliate</restrictedvalue> <restrictedvalue>member</restrictedvalue> <restrictedvalue>library-walk-in</restrictedvalue> </attribute> <attribute type="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" store="Active Directory" name="eduPersonScopedAffiliation" > </attribute> end Scenario C. Attribute assignment --> <!-- Attribute filter pivoting on allowedRegistrationAuthorities - useful for GDPR purposes Absence of allowedRegsitrationAuthorities - no action taken Presence of allowedRegistrationAuthorities - attribute filters to be present in only said RA (one or more) --> <!-- <attribute type="urn:mace:dir:attribute-def:norEduPersonNIN" store="Active Directory" name="norEduPersonNIN"> <allowedRegistrationAuthorities> <registrationAuthority>http://www.swamid.se/</registrationAuthority> </allowedRegistrationAuthorities> </attribute> --> <attribute type="urn:mace:dir:attribute-def:norEduPersonLIN" store="Active Directory" name="norEduPersonLIN" /> <attribute type="urn:mace:dir:attribute-def:eduPersonEntitlement" store="Active Directory" name="edupersonentitlement" useGroups="true"> <group name="employee" value="urn:mace:terena.org:tcs:personal-user" /> <group name="employee" value="urn:mace:terena.org:tcs:escience-user" /> <group name="Terena Personal Certificate Admin" value="urn:mace:terena.org:tcs:personal-admin" /> <group name="Terena Personal Certificate Admin" value="urn:mace:terena.org:tcs:escience-admin" /> </attribute> <attribute type="urn:mace:dir:attribute-def:eduPersonAssurance" store="Static"> <value>http://www.EXAMPLE.COM/policy/assurance/al1</value> <value>http://www.EXAMPLE.COM/policy/assurance/al2</value> </attribute> <attribute type="http://schemas.xmlsoap.org/claims/samaccountname" store="Active Directory" name="samaccountname" /> <attribute type="http://schemas.xmlsoap.org/claims/Group" store="Active Directory" name="tokenGroups" /> </attributes> </storeConfig> </configuration> |