...
The SP translates attributes that it receives on the wire, typically from SAML assertions, using an attribute extractor, typically via the attribute-map.xml configuraton file. The file contains a series of mapping rules that reference the "on the wire" representation and connect it to a more convenient short-hand name.
To define a new mapping, one needs to add a new <Attribute> element. The name property in the rule corresponds to the formal SAML name the IdP is using for the attribute, generally a URI. The id property is the shorthand name to use, and determines the environment variable or header by which the attribute will be made available to the web application.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
<Attribute name="https://example.org/myAttributes/FavoriteFruit" id="favFruit" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> |
...
The most common examples you will encounter can be seen among the default rules supplied, specifically decoding of scoped or name identifier values.
It is rare that a decoder would need to be specified and if you don't understand why you would use one, you shouldn't waste time worrying about it or try to fix problems by using one. Something else is wrong.
Filtering (Optional)
By default, an attribute mapping will decode and pass along any values encountered. Normally this is adequate, but for advanced scenarios, special filtering rules can be applied to the values extracted. For example, a controlled vocabulary can be defined, or specific IdPs can be prevented from asserting an attribute.
...
Externally to an application, you can utilize mapped attributes for static access control. Included with the SP are a pair of plugins, a cross-platform XML-based mechanism and support for Apache .htaccess.
...