...
Conceptually, you can think of this mechanism as equivalent to a networked set of LDAP or X.500 directories queried by DN, merely in SAML terms. It is, however, relatively easy to implement and support when there are batch processes in place for the exchange of identity data to establish the links. No user intervention is required, which is a plus for simplicity but a minus for privacy and user control.
After each query is performed, the resolver applies the attribute extractor and filter configured for the application before continuing with other queries and eventually returning the resulting attributes. Each filtering step will operate on only the attributes extracted as a result of a particular query, and the filter policies can be expressed in terms of the actual "issuer" of each set of attributes for fine-grained control.
...
Attributes
policyId
(string)- Optional reference to a Security Policy to apply to the resulting messages and SAML assertions obtained. If omitted, the application's default policy is used.
attributeId
(space-delimited list of strings)- Optional list of attribute IDs to search for a value to use as the identifier in the queries performed. The first attribute value found will be used as the value of the
<NameID>
. If this attribute is omitted, the original<NameID>
supplied by the user's original IdP is simply copied directly.
- Optional list of attribute IDs to search for a value to use as the identifier in the queries performed. The first attribute value found will be used as the value of the
format
(URI)- Optional value to use as the
Format
attribute in a "generated"<NameID>
created from an arbitrary source attribute using theattributeId
setting above. This value is ignored if theattributeId
setting is omitted, or if the specified attribute used is a so-called "NameID-valued" attribute that resulted from a NameID-aware attribute decoder.
- Optional value to use as the
...
Child Elements
<Entity>
(zero or more)- The value of the element is an
entityID
to query against. Metadata for a SAML 2.0 Attribute Authority role must be available.
- The value of the element is an
<EntityReference>
{zero or more)- The value of the element is the ID of an attribute available for the user. Each of the attribute's serialized values is interpreted as an
entityID
, as per the<Entity>
element above.
- The value of the element is the ID of an attribute available for the user. Each of the attribute's serialized values is interpreted as an
Note that the <Entity>
and <EntityReference>
elements can be supplied in any order, and are processed in the order they appear, with a query attempt per entityID
obtained.
<saml2:Attribute>
(zero or more)- Supplies a set of attribute and value filters to include in any queries.
<MetadataProvider>
(optional)- Supplies a dedicated MetadataProvider to use in place of the application-defined source.
<TrustEngine>
(optional)- Supplies a dedicated TrustEngine to use in place of the application-defined engine.
...
<AttributeExtractor>
(optional)- Supplies a dedicated AttributeExtractor to use in place of the application-defined extractor.
<AttributeFilter>
(optional)- Supplies a dedicated AttributeFilter to use in place of the application-defined filter.
...