GakuNinShare: 特定のSPへのアサーションを暗号化しない設定
GakuNinShare: 特定のSPに対しePPNをNameIDに入れて送る設定方法
上記2つに加えて以下のような感じでカスタム属性を定義しWebexに送るようにする。
<resolver:AttributeDefinition id="uid-webex" xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="uid">
<resolver:Dependency ref="myLDAP"/>
<resolver:AttributeEncoder xsi:type="SAML2String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="uid"/>
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="firstname-webex" xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="givenName">
<resolver:Dependency ref="myLDAP"/>
<resolver:AttributeEncoder xsi:type="SAML2String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="firstname"/>
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="lastname-webex" xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="sn">
<resolver:Dependency ref="myLDAP"/>
<resolver:AttributeEncoder xsi:type="SAML2String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="lastname"/>
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="email-webex" xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="mail">
<resolver:Dependency ref="myLDAP"/>
<resolver:AttributeEncoder xsi:type="SAML2String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="email"/>
</resolver:AttributeDefinition>
これでも動かない場合は以下の部分でアサーションに署名するようになっているか確認すること。
signResponses="never"
signAssertions="always"
参考:
Shib Users ML: Re: WebEx
Shib Users ML: SOLVED: Cisco WebEx error 31 "Auto account creation failed" two different ways...
Shibboleth Wiki: Webex and CirqLive Implementation