...
- The static data connector is used to add statically attributes and values to every person served by the identity provider. An example usage of this connector would be to add an entitlement attribute that everyone in your organization receives.
- The computed ID data connector is used to construct unique identifiers by hashing together some information.
- The stored ID data connector is used to construct and persist identifiers by means of a database.
- The relational database connector is used to pull attributes from a relational database by executing some configured SQL.
- The LDAP data connector is used to pull attributes from an LDAP directory by executing an LDAP filter on a specific branch.
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | Example Data Connectorxml |
|---|
|
<resolver:DataConnector xsi:type="dc:RelationalDatabase"
xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="MyDatabase">
<ApplicationManagedConnection jdbcDriver="org.hsqldb.jdbcDriver"
jdbcURL="jdbc:hsqldb:res:/data/database/shibdb"
jdbcUserName="sa" />
<QueryTemplate>
<![CDATA[
SELECT * FROM PEOPLE WHERE netid='${principal}'
]]>
</QueryTemplate>
</resolver:DataConnector>
|
...
- The simple attribute definition is used to handle flat attributes with a simple name and values.
- The scoped attribute definition is used to handle flat attributes with a simple name and scoped values.
- The prescoped attribute definition creates scoped attribute values from a delimited string (e.g. staff@example.org).
- The principal name attribute definition creates an attribute whose value is the user's principal name.
- The principal authentication method attribute definition creates an attribute whose value is the user's authentication method.
- The regex based split attribute definition creates an attribute whose values are the split of a set of input values.
- The transient ID creates an attribute whose value is a short-lived identifier.
- The Crypto Transient ID creates a cryptographically verifiable opaque identifier that can later be mapped back to the user by a CryptoTransient principal connector. See IdPNameIdentifier for more details.
- The SAML 1 NameIdentifier attribute definition creates an attribute whose values are SAML 1 NameIdentifiers.
- The SAML 2 NameID attribute definition creates an attribute whose values are SAML 2 NameIDs.
- The script attribute definition builds an attribute's values based on an ECMAScript script.
- The mapped attribute definition is used to map an attribute's values to different values using regular expressions.
- The template attribute definition uses the VelocityTemplateLanguage to construct values by combining other attribute values.
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | Example Attribute Definition using defined Data Connectorxml |
|---|
|
<resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="NETID">
<Dependency ref="MyDatabase" />
</resolver:AttributeDefinition>
<resolver:DataConnector xsi:type="dc:RelationalDatabase" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="MyDatabase">
<ApplicationManagedConnection jdbcDriver="org.hsqldb.jdbcDriver"
jdbcURL="jdbc:hsqldb:res:/data/database/shibdb"
jdbcUserName="sa" />
<QueryTemplate>
<![CDATA[
SELECT * FROM PEOPLE WHERE netid='${principal}'
]]>
</QueryTemplate>
</resolver:DataConnector>
|
...
- SAML 1 String Attribute Encoder is used to encode an attribute as a SAML 1 <Attribute> with simple strings for values.
- SAML 1 Scoped String Attribute Encoder is used to encode an attribute as a SAML 1 <Attribute> with scoped strings for values.
- SAML 1 Base64 Attribute Encoder is used to encode an attribute as a SAML 1 <Attribute> with a byte array for a value.
- SAML 1 XMLObject Attribute Encoder is used to encode an attribute, with XMLObjects as values, into a SAML 1 <Attribute>.
- SAML 1 String NameIdentifier Encoder is used to encode an attribute, having a simple string value, into a SAML 1 Subject <NameIdentifier>.
- SAML 2 String Attribute Encoder is used to encode an attribute as a SAML 2 <Attribute> with simple strings for values.
- SAML 2 Scoped String Attribute Encoder is used to encode an attribute as a SAML 2 <Attribute> with scoped strings for values.
- SAML 2 Base64 Attribute Encoder is used to encode an attribute as a SAML 2 <Attribute> with a byte array for a value.
- SAML 2 XMLObject Attribute Encoder is used to encode an attribute, with XMLObjects as values, into a SAML 2 <Attribute>.
- SAML 2 String NameID Encoder is used to encode an attribute, having a simple string value, into a SAML 2 Subject <NameID>.
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | Example attribute encoder for a defined attribute definitionxml |
|---|
|
<resolver: AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="NETID">
<resolver:AttributeEncoder xsi:type="enc:SAML2String"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
friendlyName="eduPersonPrincipalName" />
<resolver:Dependency ref="MyDatabase" />
</resolver:AttributeDefinition>
<resolver:DataConnector xsi:type="RelationalDatabase" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="MyDatabase"
validationQuery="SELECT 1;">
<ApplicationManagedConnection jdbcDriver="org.hsqldb.jdbcDriver"
jdbcURL="jdbc:hsqldb:res:/data/database/shibdb"
jdbcUserName="sa" />
<QueryTemplate>
<![CDATA[
SELECT * FROM PEOPLE WHERE netid='${principal}'
]]>
</QueryTemplate>
</resolver:DataConnector>
|
...
Newly defined attributes are not released to service providers until you define an attribute filter policy for that attribute. Such policies describe which service providers, under which conditions, receive which attributes.
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | Example filter that always releases the UID attribute we definedxml |
|---|
|
<AttributeRule attributeID="uid">
<PermitValue xsi:type="basic:ANY" />
</AttributeRule>
|
...