Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
Overview
The SubjectDerivedAttribute AttributeDefinition exposes attributes values derived from the Java Subject(s) produced by the authentication flow(s) used to authenticate the subject of the profile request.
In most cases, the SubjectDataConnector is a more useful option because it can produce multiple attributes at once, and the new exporting feature allows them to be used without additional configuration.
A configuration shortcut allows for the values from any IdPAttribute objects contained inside IdPAttributePrincipal objects to be pulled out, which is an effective way to tunnel attribute data from outside the IdP provided by the External authentication flow.
Reference
| Expand |
|---|
| title | Specific XML Attributes |
|---|
|
The source of the Subject(s) to evaluate is controlled with: Name | Type | Default | Description |
|---|
forCanonicalization | Boolean | false | If true, a Subject undergoing SubjectCanonicalization is used as input rather than the default of looking for authenticated Subjects |
Exactly one of the following must be provided (but not both): Name | Type | Description |
|---|
principalAttributeName | String | The name of an IdPAttribute found inside an IdPAttributePrincipal contained in one of the authenticated Subject(s) | attributeValuesFunctionRef | Bean ID | The name of a Spring Bean implementing Function<Principal,List<IdPAttributeValue>>, this function will be invoked for each Principal found within the authenticated Subject(s), instead of relying on default behavior |
|
| Expand |
|---|
| title | Common XML Attributes |
|---|
|
| Include Page |
|---|
| AttributeDefinitionCommonAttributes |
|---|
| AttributeDefinitionCommonAttributes |
|---|
|
|
| Expand |
|---|
|
At least one dependency element is required. | Include Page |
|---|
| AttributeDefinitionCommonChildElements |
|---|
| AttributeDefinitionCommonChildElements |
|---|
|
|
Examples
The following locates an IdPAttribute named "Whatever" in an authenticated Subject and turns it into a new IdPAttribute named "SomethingElse".
| Code Block |
|---|
|
<AttributeDefinition xsi:type="SubjectDerivedAttribute"
id="SomethingElse" principalAttributeName="Whatever">
|
The following locates an IdPAttribute named "Whatever" in a Subject undergoing attribute-sourced C14N (such as a proxied SAML login) and turns it into a new IdPAttribute named "SomethingElse".
| Code Block |
|---|
|
<AttributeDefinition xsi:type="SubjectDerivedAttribute" forCanonicalization="true"
id="SomethingElse" principalAttributeName="Whatever"> |