ADFSToolkit

2.3.0

config/default/config.ADFSTk.default.xml

                                <?xml version="1.0" encoding="UTF-8"?>

<configuration>

    <ConfigVersion>1.4</ConfigVersion>

    <SPHashFile>SPHash.xml</SPHashFile>

    <MetadataCacheFile>metadata.cached.xml</MetadataCacheFile>

    <LocalRelyingPartyFile>get-ADFSTkLocalManualSPSettings.ps1</LocalRelyingPartyFile>

    <MetadataPrefix/>

    <MetadataPrefixSeparator>:</MetadataPrefixSeparator>

    <eduPersonPrincipalNameRessignable/>

    <Logging useEventLog="true">

        <LogName>ADFSToolkit</LogName>

        <Source>Import-ADFSTkMetadata</Source>

    </Logging>

    <metadataURL/>

    <signCertFingerprint/>

    <claimsProviders>

        <claimsProvider>Active Directory</claimsProvider>

    </claimsProviders>

    <staticValues>

        <o/>

        <co/>

        <c/>

        <schacHomeOrganization/>

        <norEduOrgAcronym/>

        <schacHomeOrganizationType>urn:schac:homeOrganizationType:eu:educationInstitution</schacHomeOrganizationType>

        <!-- This value is for EU higher education institution, other allowed values are:

            urn:schac:homeOrganizationType:eu:educationInstitution

            urn:schac:homeOrganizationType:int:NREN

            urn:schac:homeOrganizationType:int:universityHospital

            urn:schac:homeOrganizationType:int:NRENAffiliate

            urn:schac:homeOrganizationType:int:other

        -->

        <ADFSExternalDNS/>

    </staticValues>

    <storeConfig>

        <stores>

            <store name="Active Directory" storetype="Active Directory" issuer="AD AUTHORITY" type="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" order="1" />

            <!--<store name="Custom Store" storetype="Custom Store" issuer="AD AUTHORITY" type="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" order="2" />-->

            <!-- <store name="SQL" storetype="SQL" issuer="AD AUTHORITY" type="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" order="3">

                <query>SELECT CONVERT(varchar(10), Id) FROM [LiUDB].[dbo].[EmployeeIdGen] WHERE uid = REPLACE({0}, 'TEST\', '')</query>

            </store> -->

        </stores>

    </storeConfig>

    <transformRules>

        <rule name="ADFSTkExtractSubjectUniqueId" originClaim="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" />

    </transformRules>

    <attributes>

        <attribute type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" store="Active Directory" name="givenname" />

        <attribute type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" store="Active Directory" name="sn" />

        <attribute type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayname" store="Active Directory" name="displayname" />

        <attribute type="http://schemas.xmlsoap.org/claims/CommonName" store="Active Directory" name="displayname" />

        <attribute type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" store="Active Directory" name="name" />

        <attribute type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" store="Active Directory" name="mail" />

        <!-- eduPersonAffilation and eduPersonScopedAffiliation settings

                Scenario A. Static assignement with all active users declared 'member' (default)

                Scenario B. Dynamic assignment based on GroupSID

                Scenario C. Attribute ssignment based on presence of eduPersonAffiliation in directory

             Note that EXAMPLE.COM is used where your domain scope is needed for easy search and replace for your domain.

             This file is a template so commented out examples will NOT be updated

             -->

        <!-- Scenario A. Static assignment (default, comment out if you enable another technique

             <attribute type="urn:mace:dir:attribute-def:eduPersonAffiliation" store="Static">

               <value>member</value>

             </attribute>

             end Scenario A. Static assignment -->

        <!-- note that in this template this field will be dynamically updated by eduPersonAfilliation above by new-ADFSTkConfiguration baking in the domain

              <attribute type="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" store="Static">

              </attribute>

              end Scenario A. Static assignment -->

        <!-- Scenario B. Dynamic assignment 

     <attribute type="urn:mace:dir:attribute-def:eduPersonAffiliation" store="Active Directory" name="eduPersonAffiliation" useGroups="true" claimOrigin="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid">

                <group name="SID-FOR-FACULTY-GROUP" value="faculty"/>

                <group name="SID-FOR-STAFF-GROUP" value="staff"/>

                <group name="SID-FOR-EMPLOYEE-GROUP" value="employee"/>

                <group name="SID-FOR-STUDENT-GROUP" value="student"/>

                <group name="SID-FOR-ALUM-GROUP" value="alum"/>

                <group name="SID-FOR-AFFILIATE-GROUP" value="affiliate"/>

                <group name="SID-FOR-MEMBER-GROUP" value="member"/>

                <group name="SID-FOR-LIBRARYWALKIN-GROUP" value="library-walk-in"/>

            </attribute>

      <attribute type="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" store="Active Directory" name="eduPersonScopedAffiliation" useGroups="true" claimOrigin="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid">

                <group name="SID-FOR-FACULTY-GROUP" value="faculty@EXAMPLE.COM"/>

                <group name="SID-FOR-STAFF-GROUP" value="staff@EXAMPLE.COM"/>

                <group name="SID-FOR-EMPLOYEE-GROUP" value="employee@EXAMPLE.COM"/>

                <group name="SID-FOR-STUDENT-GROUP" value="student@EXAMPLE.COM"/>

                <group name="SID-FOR-ALUM-GROUP" value="alum@EXAMPLE.COM"/>

                <group name="SID-FOR-AFFILIATE-GROUP" value="affiliate@EXAMPLE.COM"/>

                <group name="SID-FOR-MEMBER-GROUP" value="member@EXAMPLE.COM"/>

                <group name="SID-FOR-LIBRARYWALKIN-GROUP" value="library-walk-in@EXAMPLE.COM"/>

        </attribute> 

               end Scenario B. Dynamic assignment -->

        <!-- Scenario C. Attribute assignment -->

        <attribute type="urn:mace:dir:attribute-def:eduPersonAffiliation" store="Active Directory" name="eduPersonAffiliation">

            <restrictedvalue>faculty</restrictedvalue>

            <restrictedvalue>staff</restrictedvalue>

            <restrictedvalue>employee</restrictedvalue>

            <restrictedvalue>student</restrictedvalue>

            <restrictedvalue>alum</restrictedvalue>

            <restrictedvalue>affiliate</restrictedvalue>

            <restrictedvalue>member</restrictedvalue>

            <restrictedvalue>library-walk-in</restrictedvalue>

        </attribute>

        <attribute type="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" store="Active Directory" name="eduPersonScopedAffiliation">

        </attribute>

        <!-- end Scenario C. Attribute assignment -->

        <!-- Attribute filter pivoting on allowedRegistrationAuthorities - useful for GDPR purposes 

             Absence of allowedRegsitrationAuthorities - no action taken

             Presence of allowedRegistrationAuthorities - attribute filters to be present in only said RA (one or more)

            -->

        <attribute type="urn:mace:dir:attribute-def:eduPersonOrgDN" store="Static">

            <value>o=Hogwarts,dc=hsww,dc=wiz</value>

        </attribute>

        <!-- Attention! You might need to filter this attribute on SP level before releasing it. (Not needed for the European Student Identifier Entity Category) -->

        <attribute type="urn:mace:dir:attribute-def:schacPersonalUniqueCode " store="Active Directory" name="schacPersonalUniqueCode " />

        <!-- Attention! You might need to filter this attribute on SP level before releasing it. -->

        <attribute type="urn:mace:dir:attribute-def:eduPersonEntitlement" store="Active Directory" name="edupersonentitlement" />

        <!-- Attention! Never send any AssuranceLevel(s) your institution isn't certified for -->

        <attribute type="urn:mace:dir:attribute-def:eduPersonAssurance" store="Static">

            <value>https://refeds.org/assurance</value>

            <value>https://refeds.org/assurance/IAP/local-enterprise</value>

            <value>https://refeds.org/assurance/ID/eppn-unique-no-reassign</value>

            <!-- <value>https://refeds.org/assurance/IAP/low</value>

            <value>https://refeds.org/assurance/IAP/medium</value>

            <value>https://refeds.org/assurance/profile/cappuccino</value>

            <value>https://refeds.org/assurance/ID/unique</value>

            <value>https://refeds.org/assurance/ATP/ePA-1m</value>

            <value>https://refeds.org/assurance/ATP/ePA-1d</value> -->

        </attribute>

        <attribute type="urn:mace:dir:attribute-def:eduPersonUniqueID" store="Active Directory" name="objectGUID" />

        <attribute type="urn:oasis:names:tc:SAML:attribute:pairwise-id" store="Active Directory" name="samaccountname">

            <transformvalue adfstkstorefunction="pairwiseid" />

        </attribute>

        <attribute type="urn:oasis:names:tc:SAML:attribute:subject-id" store="Active Directory" name="samaccountname">

            <transformvalue adfstkstorefunction="subjectid" />

        </attribute>

        <attribute type="http://schemas.xmlsoap.org/claims/samaccountname" store="Active Directory" name="samaccountname" />

        <attribute type="http://schemas.xmlsoap.org/claims/Group" store="Active Directory" name="tokenGroups" />

    </attributes>

</configuration>