Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


A secondary feature in V4.1+ allows for a Java Subject that contains one or more IdPAttributePrincipal objects to be processed directly for an IdPAttribute to pull the value from. This is primarily of use with various "external" authentication options such as SAML proxying, allowing a SAML Attribute decoded from another IdP to be directly consumed and used as a canonical principal name without the hassle of the attribute resolution process (and configuration). This feature can be leveraged by adjusting various properties (see the reference below) to disable use of the Attribute Resolver and reference the Java Subject directly (note this is not referring to the SAML <Subject> element but to the Java object created as a result of all successful authentication flows in the IdP).

General Configuration


UseĀ conf/c14n/attribute-sourced-subject-c14n-config.xml to configure this flow, along with the AttributeResolverConfiguration.

Typically you will supply a list of attributes to resolve and a list of attributes to search for in the results. The first such attribute with a suitable value will supply the username to return.

By default, the only transform applied to the result is a trim of leading or trailing whitespace. Case-folding and regular expression replacements can be added, per the reference section below.