...
The Shibboleth attribute authority (AA) is the part of a provider that's responsible for the inflow and outflow of attributes. Each time an IdP participates in a SAML transaction, the AA undertakes a number of steps to prepare attributes to be sent:1.
- The AA collects attributes from source systems
...
Note that with JDBC only Application Managed Connections can be tested, since the AACLI does not run in a container.- The attributes are processed according to rules and dependencies defined in the resolver;
...
- The resulting attributes are filtered according to filter policies, SAML metadata information, and attribute query information.
...
- The attributes are then encoded into SAML attribute statements which may be sent to a relying party.
The attribute authority command line interface (AACLI) allows deployers to exercise their configurations and view the information that would likely be sent back to the relying party for a given SAML transaction. As it is not possible to specify every piece of information that goes into the attribute authority in a running system, the results are only an approximation of what would really be returned.
...