Versions Compared

Old Version 14

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version Current

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This is still supported, but with a few exceptions, a better approach in V4 is to rely on a common set of encoding rules contained in the new AttributeRegistryConfiguration based on reasonable conventions for the names of the IdPAttribute objects. For example, if you just accept that you should put the subject's e-mail address into an IdPAttribute called "mail", then the registry knows how to encode that into SAML automatically using the name prescribed by the standard.

Configuration

In a typical (and default) configuration, only one configuration resource is supplied for controlling attribute resolution, a file called attribute-resolver.xml. All such resources must contain a "root" element named <AttributeResolver> defined in the urn:mace:shibboleth:2.0:resolver XML namespace.

...

All of the examples shown assign attribute IDs that correspond to pre-existing encoding rules from the default supplied registry.

The resolver configuration itself consists of an unordered set of <AttributeDefinition> and <DataConnector> elements that are of various types. These plugins to the actual work and most of the documentation can be found under those two headings.

Simple attribute-resolver.xml file

...

Formally, this is the configuration of the "AttributeResolver" service.  By default one file, attribute-resolver.xml, defines the attributes to be resolved. Multiple files can be specified by editing the bean referred to by the property idp.service.attribute.resolver.resources (default value shibboleth.AttributeResolverResources in the services.xml file) or changing the property to a different bean name.

localtab-livetrue
Localtabgroup
Expand
titleXML Attributes

The top level <AttributeResolver> element has one attribute, id, which is used in logging.

Localtab live
active
Expand
titleXML Elements

The following child elements may appear:

Name

Cardinality

Description

<DataConnector>

any

Defines connections to sources of data which provide input to attribute definitions. These data sources are usually external (databases or attribute stores). It is also now possible when desired to directly export data from a connector without layering attribute definitions on top.

<AttributeDefinition>

any

Allows more precise formatting and transformations of input data into single attributes, as well as pre-V4 support for attaching encoders and other descriptive characteristics. Many use cases can now be handled without attribute definitions.

localtab-live
Expand
titleProperties

The attribute-resolver.xml file can also use property replacement to externalize particular settings such as passwords. Some common/global properties, such as idp.scope, are defined in the idp.properties file, and you may add your own properties and files. See the SpringConfiguration topic for more on property syntax.

The properties which affect the resolution process are names starting with idp.service.attribute.resolver. as described here.

...