Page Comparison

...

A secondary feature in V4.1+ allows for a Subject that contains one or more IdPAttributePrincipal objects to be processed directly for an IdPAttribute to pull the value from. This is primarily of use with various "external" authentication options such as SAML proxying, allowing a SAML Attribute decoded from another IdP to be directly consumed and used as a canonical principal name without the hassle of the attribute resolution process (and configuration).

General Configuration

true

Localtabgroupexpand

Localtab live

title	V4.0

Use conf/c14n/attribute-sourced-subject-c14n-config.xml to configure this flow, along with the AttributeResolverConfiguration.

Typically you will supply a list of attributes to resolve and a list of attributes to search for in the results. The first such attribute with a suitable value will supply the username to return.

By default, the only transform applied to the result is a trim of leading or trailing whitespace. Case-folding and regular expression replacements can be added, per the reference section below.

Localtab live

active

Expand

title	V4.1+

Use conf/c14n/subject-c14n.properties to configure this flow, along with the AttributeResolverConfiguration.

If your system is upgraded, you may continue to use conf/c14n/attribute-sourced-subject-c14n-config.xml as before, or you may remove it, while ensuring the new properties are being loaded.

There are two ways this flow can locate a suitable IdPAttribute to use:

By running the "full" Attribute Resolver service (which has some special considerations noted below)
By pulling an IdPAttribute directly from an IdPAttributePrincipal in the input Subject (as mentioned above, this is normally useful when proxying authentication to another IdP)

These methods can be combined, in the sense that the list of attributes to search for may be found in either way, so it's possible to run the resolver conditionally and/or check both the Subject and the resolution results. In most cases this is an either/or situation and the resolver won't be used if you expect the data to be in the Subject already.

When pulling directly, you will typically just supply a list of attributes to check for (first value wins), and set the idp.c14n.attribute.resolutionCondition property to "shibboleth.Conditions.FALSE", to turn off the full attribute resolution step.

When using the resolver, typically you will supply a list of attributes to resolve and a list of attributes to search for in the results. The first such attribute with a suitable value will supply the username to return.

By default, the only transform applied to the result is a trim of leading or trailing whitespace. Case-folding and regular expression replacements can be added, per the reference section below. The regular expression replacement feature is the only one remaining that still requires XML and you may define that bean, if needed, in conf/c14n/subject-c14n.xml

Using the Attribute Resolver

...

Localtabgroup

Localtab live

title	Beans (V4.0)

The beans defined in conf/c14n/attribute-sourced-subject-c14n-config.xml follow:

Bean ID	Type	Default	Description
shibboleth.c14n.attribute.AttributesToResolve	List<String>		A list of attributes to resolve (an empty list directs the resolver to resolve everything it knows about)
shibboleth.c14n.attribute.AttributeSourceIds	List<String>		A list of attributes to search for in the results, looking for a StringAttributeValue or ScopedStringAttributeValue
shibboleth.c14n.attribute.PrincipalNameLookupStrategy	Function<ProfileRequestContext,String>		Provides a principal name value for the AttributeResolutionContext during attribute resolution (i.e., $resolutionContext.principal will be set)
shibboleth.c14n.attribute.Lowercase	Boolean	false	Whether to lowercase the username
shibboleth.c14n.attribute.Uppercase	Boolean	false	Whether to uppercase the username
shibboleth.c14n.attribute.Trim	Boolean	true	Whether to trim leading and trailing whitespace from the username
shibboleth.c14n.attribute.Transforms	Pair<String,String>		Pairs of regular expressions and replacement expressions to apply to the username

Localtab live

title	Beans (V4.1+)

The following beans may be defined in conf/subject-c14n.xml if needed:

Bean ID	Type	Description
shibboleth.c14n.attribute.PrincipalNameLookupStrategy	Function<ProfileRequestContext,String>	Provides a principal name value for the AttributeResolutionContext during attribute resolution (i.e., $resolutionContext.principal will be set)
shibboleth.c14n.attribute.Transforms	Pair<String,String>	Pairs of regular expressions and replacement expressions to apply to the attribute-sourced username

Localtab live

active	true
title	Properties (V4.1+)

The following properties are commented out in conf/c14n/subject-c14n.properties:

Name / Type / Default	Default	Description
idp.c14n.attribute.attributesToResolve		Comma-delimited list of attributes to resolve (an empty list directs the resolver to resolve everything it can)
idp.c14n.attribute.attributeSourceIds		Comma-delimited list of attributes to search for in the results, looking for a StringAttributeValue or ScopedStringAttributeValue
idp.c14n.attribute.resolveFromSubject	false	Whether to examine the input Subject for IdPAttributePrincipal objects to pull from directly, instead of from the output of the Attribute Resolver service
idp.c14n.attribute.resolutionCondition	shibboleth.Conditions.TRUE	Bean ID of a Predicate<ProfileRequestContext> to evaluate to determine whether to run the Attribute Resolver or go directly to the Subject alone
idp.c14n.attribute.lowercase	false	Whether to lowercase the username
idp.c14n.attribute.uppercase	false	Whether to uppercase the username
idp.c14n.attribute.trim	true	Whether to trim leading and trailing whitespace from the username

Versions Compared

Old Version 19

New Version 20

Key

General Configuration

Using the Attribute Resolver