...
The "sub" claim is also semi-reserved but does come from your configuration. However it has to meet certain requirements and so cannot just contain arbitrary data without risking severe consequences to RPs. It is analagous to violating the expectations of a SAML SP regarding the content of an Attribute, but with more consistently severe problems. Please refer to the dedicated page at OPSubClaim for specifics.
Configuration
...
| tabStyle | flat |
|---|
...
Transcoding Rules
The mappings from traditional LDAP (and SAML) attributes and OIDC claims is much less self-evident, but we have produced a set of plausible default rules that map from typical LDAP attributes to appropriate claims. These rules are not enabled by default, but can be found in conf/attributes/oidc-claim-rules.xml and imported into conf/attributes/default-rules.xml (with or without changes). That file also provides numerous examples to follow in building your own rules if desired.
Note that it's optional and not required to "combine" SAML and OIDC rules together. The system is intelligent enough to allow multiple "outbound" rules associated with the same IdPAttribute id with different transcoders involved.
The additional supported properties and transcoder types are described below. As with SAML, OIDC includes mechanisms to request claims, and so the transcoders support bidirectional mappings to allow decoding of requested JSON claims as well as encoding of IdPAttributes into JSON.
Common Properties
In addition to the generic properties, all OIDC transcoders support the following:
| Name | Type | Default | Description |
|---|---|---|---|
| oidc.name | String | The claim name to map to and from (if absent, the IdPAttribute's id is used) | |
| oidc.asArray | Boolean | false | Encodes and decodes multiple values as a JSON array |
| oidc.asInteger | Boolean | false | Encodes and decodes individual values as a JSON integer |
| oidc.asBoolean | Boolean | false | Encodes and decodes individual values as a Boolean |
| oidc.stringDelimiter | String | <space> | Encodes and decodes multiple values as a string with a specifie delimiter |
Transcoder Types
There are 3 built-in types of OIDC transcoders, as follows. Each one is predefined as a Spring bean for use in rules using the "short" name of the transcoder as shown.
OIDCStringTranscoder
The simplest and most commonly used transcoder, it supports encoding and decoding internal values from and to the StringAttributeValue class. It supports the following additional optional property:
| Name | Type | Default | Description |
|---|---|---|---|
| oidc.asObject | Boolean | false | Encodes and decodes a string value as a JSON object (meaning parsing to and from JSON) |
OIDCScopedStringTranscoder
Supports encoding and decoding internal values from and to the ScopedStringAttributeValue class. It supports the following additional properties (all optional):
| Name | Type | Default | Description |
|---|---|---|---|
| oidc.scopeDelimiter | String | @ | The character(s) to use to separate the value and scope |
OIDCByteTranscoder
Supports encoding and decoding internal values from and to the ByteAttributeValue class, with a base64 transform applied. It supports no additional properties.
...
Attribute Encoders
The alternative to the generality of the transcoding approach is the older style of embedding <AttributeEncoder> elements within the AttributeResolverConfiguration to specify individual encoding of AttributeDefinitions to claims. This is supported for OIDC via a set of extensions that add new encoder plugin types.
| Note |
|---|
Note for upgraders: the older "token placement" settings that were supported here for splitting claims have been moved to profile configuration settings and are no longer valid here. |
Because these are extensions, their xsi:type definitions live in a separate XML namespace and schema (unfortunately an unavoidable callback to the days when multiple namespaces were required in configurations).
Namespace: urn:mace:shibboleth:2.0:resolver:oidcSchema: http://shibboleth.net/schema/oidc/shibboleth-attribute-encoder-oidc.xsd
In order to use any of these encoders, the root element of the resolver configuration file needs to be adjusted to declare a namespace prefix for the extension namespace and add in the schema location to address some fundamental XML bugs in Spring:
| Code Block |
|---|
<AttributeResolver xmlns="urn:mace:shibboleth:2.0:resolver"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:oidc="urn:mace:shibboleth:2.0:resolver:oidc"
xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
urn:mace:shibboleth:2.0:resolver:oidc http://shibboleth.net/schema/oidc/shibboleth-attribute-encoder-oidc.xsd"> |
All of the extension encoders support the common settings described on the AttributeEncoderPluginConfiguration page. They also support all of these common XML attributes:
| Name | Type | Default | Description |
|---|---|---|---|
| asObject | Boolean | false | Encodes (and decodes) string-valued data as a JSON object instead of a string value |
| asBoolean | Boolean | false | Encodes (and decodes) values as booleans (anything but "true", ignoring case, is treated as false) |
| asArray | Boolean | false | Encodes (and decodes) multiple values into a JSON array rather than a delimited string |
| asInt | Boolean | false | Encodes (and decodes) values as JSON integers (non-numeric values are ignored) |
| stringDelimiter | String | <space> | Sets the delimiter to use when encoding multiple values into a single JSON string |
The supported xsi:type values (and additional options) are:
| xsi:type | Description |
|---|---|
| oidc:OIDCString | Basic encoder for string-valued claims (defaults to encoding multiple values as a space-delimited string) |
| oidc:OIDCScopedString | Encoder for scoped claims. A scopeDelimiter XML attribute can be supplied to alter the delimiter (defaults to '@'). |
| oidc:OIDCByte | Encoder for base64-encoding byte-valued data |
Examples
The expected JSON is shown in XML comments. Unrelated aspects are omitted such as dependencies and so forth.
| Code Block | ||
|---|---|---|
| ||
<AttributeDefinition xsi:type="Scoped" id="affiliation" scope="example.org">
<AttributeEncoder xsi:type="oidc:OIDCScopedString" name="eduPersonScopedAffiliaton"/>
</AttributeDefinition>
<!-- affiliation: "member@example.org student@example.org" -->
<AttributeDefinition xsi:type="Scoped" id="affiliation" scope="example.org">
<AttributeEncoder xsi:type="oidc:OIDCScopedString" name="eduPersonScopedAffiliaton" asArray="true"/>
</AttributeDefinition>
<!-- affiliation: [ "member@example.org", "student@example.org"] -->
<AttributeDefinition id="address" xsi:type="ScriptedAttribute">
<Script>
<![CDATA[
address.addValue("{\"street_address\":\""+street_address.getValues().get(0) + "\","
+"\"locality\":\""+locality.getValues().get(0) + "\","
+"\"region\":\""+region.getValues().get(0) + "\","
+"\"postal_code\":\""+postal_code.getValues().get(0) + "\","
+"\"country\":\""+country.getValues().get(0) + "\"}");
]]>
</Script>
<AttributeEncoder xsi:type="oidc:OIDCString" asObject="true" name="address" />
</AttributeDefinition>
<!--
"address": {
"street_address":"234 Hollywood Blvd.",
"country":"US",
"locality":"Los Angeles",
"region":"CA",
"postal_code":"90210"
}
--> |