Hi All,
I’m somewhat new to OOD. Configuring the latest 3.1 with SAML / Mellon as idP. There are two attributes ‘MELLON_urn:oid:0.9.2342.19200300.100.1.1’ for the UID and ‘MELLON_urn:oid:0.9.2342.19200300.100.1.3’ for the user email. I’ve manager to define in the config/ood_portal.yml:
user_env: MELLON_urn:oid:0.9.2342.19200300.100.1.1
user_map_match: '.*'
this has allowed to get idP auth to work. The next would be propagating ‘MELLON_urn:oid:0.9.2342.19200300.100.1.3’ attribute (==user email) to PUN.
Here is a solution to try: How can I pass OIDC_CLAIM_EMAIL value to my applications? but only if I manage to map the SAML’s attribute to an environment variable and propagate it to PUN.
Tried next in the ood_portal.yml:
custom_vhost_directives:
- 'SetEnv OOD_USER_MAIL_ENV "MELLON_urn:oid:0.9.2342.19200300.100.1.3"'
pun_pre_hook_exports: "OOD_USER_ENV,OOD_USER_MAIL_ENV"
but a simple pun_pre_hook_root_cmd script with printenv gives me
...
OOD_OOD_USER_MAIL_ENV=MELLON_urn:oid:0.9.2342.19200300.100.1.3
There should be something simple that I miss…
My further idea for passing that idP provided attribute would be having a pun_pre_hook_root_cmd like
USEREMAILDIR="/dev/shm/emails"
[[ -d "$USEREMAILDIR" ]] || mkdir -m 755 "$USEREMAILDIR"
if [ ! -z ${OOD_USER_ENV+x} ]; then
EMAILFILE="${USEREMAILDIR}/${OOD_USER_ENV}"
echo "${OOD_USER_MAIL_ENV:-none}" > "${EMAILFILE}"
/bin/chown "$OOD_USER_ENV" "${EMAILFILE}"
/bin/chmod 750 "${EMAILFILE}"
fi
and the reading that file through the initializer either globally or within the app that wants the user email.
What do I miss here? Or is there a better way to pass SAML’s attributes to PUN?