Versions Compared

Old Version 33

changes.mady.by.user Lukas Hämmerle

Saved on

compared with

New Version 34

changes.mady.by.user Lukas Hämmerle

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagexml
titleConfiguration Example
collapsetrue
<!-- Add as first element within root element <SPConfig> of shibboleth2.xml -->
<OutOfProcess>
    <Extensions>
        <Library path="plugins.so" fatal="true"/>
    </Extensions>
</OutOfProcess>

<InProcess>
    <Extensions>
        <Library path="plugins-lite.so" fatal="true"/>
    </Extensions>
</InProcess>

[...]

<!-- Add at end of <Sessions> element -->
<Handler type="AttributeResolver" Location="/AttributeResolver"
         acl="127.0.0.1 ::1 130.59.0.0/16 2001:620:0:44::/64" />

Attributes

  • acl(list of space-delimited IP addresses or CIDR ranges) (defaults to localhost-only access)
    • A set of requesting addresses to limit access to.

...

Expand
titleExample Usage

Once the AttributeResolver handler is configured, it can for example be queried (e.g. from localhost) with:
$ curl -k 'https://localhost/Shibboleth.sso/AttributeResolver?format=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent&entityID=https%3A%2F%2Faai-logon.switch.ch%2Fidp%2Fshibbolethhttps%3A%2F%2Fyour.idp.example.org%2Fidp%2Fshibboleth&nameId=123456789PfvsH8k4gvHoeq6QtM=

This will return a JSON data structure like:
{
    "displayName" : [

        "Lukas Hämmerle"
    ],
    "mail" : [

        "lukas.haemmerle@switch.ch"
    ],
    "schacHomeOrganization" : [

        "switch.ch"
    ],
    "persistent-id" : [

        "https://aai-logon.switch.chyour.idp.example.org/idp/shibboleth!https://test.eduidsp.example.chorg/shibboleth!1FmaGeMauPfvsH8k4gvHoeq6QtM="
    ],
    "idp" : [

        "https://aai-logon.switch.chyour.idp.example.org/idp/shibboleth"
    ]

}

The output is currently limited to JSON, and is either dumped in a structure containing an array field named for each attribute, with each value serialized to its own own array slot, or is encoded in a way that combines multiple values into delimited strings identical to what would appear in server variables or headers. The latter is enabled by setting the encoding parameter to "JSON/CGI".