...
This page refers to the following XML namespaces:
Prefix | Namespace URI | Description |
|---|---|---|
saml2 | urn:oasis:names:tc:SAML:2.0:assertion | SAML 2.0 Assertion namespace |
Attributes
The following optional attributes are supported:
Name | Type | Default | Description |
|---|
policyId policyId | string | Optional identifier of a customized security policy to use when performing the query |
attributeId attributeId | whitespace-delimited list of strings | Optional list of attribute IDs to search for a value to use as the identifier in the queries performed. The first attribute value found will be used as the value of |
<NameID> the <NameID> in the query. If this attribute is omitted, the |
<NameID> supplied original <NameID> supplied by the user's original IdP is simply copied directly. |
format format | URI | Optional value to use as |
Format attribute the Format attribute in a "generated" |
<NameID> <NameID> element created from an arbitrary source attribute using |
attributeId setting the attributeId setting above. This value is ignored if |
attributeId setting the attributeId setting is omitted, or if the specified attribute used is a so-called "NameID-valued" attribute that resulted from a NameID-aware attribute decoder |
subjectMatch subjectMatch | boolean | false | If true, enforces SAML "strong matching" requirements on the subject of the resulting assertions. By default, each AA is trusted to return an assertion about the queried subject without explicitly comparing the result. |
exceptionId exceptionId | string | Optional identifier of a special attribute to create in the event of a "transient" failure during the aggregation process. Errors are considered transient if they are caused by system outages or misconfiguration. If an IdP appears to support the query protocol, then transient errors include any failure to obtain a successful SAML response or a violation of security policy while processing the result. If such errors occur, the attribute will contain one or more URL-encoded exception messages, and the application should be aware that not all of the "usual" attributes it might receive are available. |
Child Elements
The following optional child elements are supported:
Name | Cardinality | Description | |
|---|---|---|---|
<Entity> | 0 or more | The value of the element is | |
entityID to an entityID to query against. Metadata for a SAML 2.0 Attribute Authority role must be available. | |||
<EntityReference> | 0 or more | The value of the element is the ID of an attribute available for the user. Each of the attribute's serialized values is interpreted as | |
entityIDan entityID, as per |
<Entity> element the <Entity> element above. |
<saml2: |
Attribute> | 0 or more | Supplies a set of attribute and value filters to include in any queries | |
0 or 1 | Supplies a dedicated MetadataProvider to use in place of the application-defined source. | ||
0 or 1 | Supplies a dedicated TrustEngine to use in place of the application-defined engine. | ||
0 or 1 | Supplies a dedicated AttributeExtractor to use in place of the application-defined extractor. | ||
Note that the <Entity> and <EntityReference> elements can be supplied in any order, and are processed in the order they appear, with a query attempt per entityID obtained.
Example
SimpleAggregation Example
| Code Block | ||||
|---|---|---|---|---|
| ||||
<!-- Uses eduPersonPrincipalName from IdP to query, and asks for eduPersonEntitlement. -->
<AttributeResolver type="SimpleAggregation" attributeId="eppn" format="urn:oid:1.3.6.1.4.1.5923.1.1.1.6">
<Entity>https://ieee.org/idp/shibboleth</Entity>
<EntityReference>External-Links</EntityReference>
<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonEntitlement"/>
</AttributeResolver> |