Versions Compared

Old Version 20

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 21

changes.mady.by.user Rod Widdowson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

It follows that the includeAttributeStatement property of the "Shibboleth.SSO" profile configuration can be set via a metadata Attribute named "http://shibboleth.net/ns/profiles/saml1/sso/browser/includeAttributeStatement"

As an additional convention, a setting can be configured for all profiles simultaneously by prefixing it with the URL "http://shibboleth.net/ns/profiles"

Tip

We reserve the right to define behavior for any current or future SAML Attributes named in the shibboleth.net domain or any other URI we own and control, so if any developers wish to develop general purpose extensions or behavior based on such tags, you should either rely on your own tag names or seek permission from the project.

Localtabgroup
tabStyleflat
Localtab live
activetrue
Expand
titleSAML Attribute NameFormat Usage

While the SAML Attribute Name is handled as above, the NameFormat of all supported properties is presumed to be urn:oasis:names:tc:SAML:2.0:attrname-format:uri to prevent conflicts. However, the system was in fact "lax" about this particular check in V3.

As of V4, there is a property in conf/services.xml that is shipped enabled, but internally off by default for compatibility on upgrades. When idp.service.relyingparty.ignoreUnmappedEntityAttributes is true, which is suggested, the system will ignore any tags that have an improper NameFormat unless they are explicitly decoded with a custom rule in the AttributeRegistryConfiguration.

A side effect of this setting is that the IdP will operate much faster in locating (or not locating) tags for all of its settings using decoded and indexed data instead of having to inefficiently search the native XML-based data structures for a match. As a result, it is strongly advised that the proper NameFormat be used and the property enabled.

localtab-live
Expand
titleType Conversion

The supplied implementations support various built-in type conversions supporting a natural mapping between simple XML syntax and Java data types. Different kinds of settings support particular XML syntaxes as described below.

The only XML syntaxes supported are "simple content" models involving an <AttributeValue> containing only text content, but it is possible to apply specific xsi:type designations that trigger more precise handling (such as enforcing numeric or boolean data). Note that using xsi:type in this fashion requires declaring an appropriate namespace and prefix for the XSD namespace, http://www.w3.org/2001/XMLSchema, which is conventionally bound to the xsd or xs prefixes.

Setting Data Type

Supported XML Conversions

Notes

String

Untyped, string, boolean, integer, dateTime, base64binary

Booleans are mapped to the strings "0" or "1".

Dates are mapped into the Unix epoch, then converted to String.

Boolean

Untyped, string, boolean, integer

Strings are processed as a valid XML boolean value (0, 1, true, false) or treated as false.

Non-zero integers are true, zero is false.

Integer

Untyped, string, boolean, integer

Strings are decoded via Integer.decode() method.

Booleans are mapped to 0 or 1.

Long

Untyped, string, boolean, integer, dateTime

Strings are decoded via Long.decode() method.

Booleans are mapped to 0 or 1.

Dates are mapped to the Unix epoch, then converted to a Long.

Double

Untyped, string, boolean, integer

Strings are decoded via Double.valueOf() method.

Booleans are mapped to 0.0 or 1.0.

Duration

Untyped, string, integer

Strings are converted from the ISO Duration notation used throughout the software.

Integers are treated as a millisecond duration.

List<?>

Untyped, string, boolean, integer, dateTime, base64binary

Supports multiple <AttributeValue> elements, and each value is converted to a String and then used to construct an object of the type specified for the property via a String-based single-argument constructor.

Set<?>

Untyped, string, boolean, integer, dateTime, base64binary

Supports multiple <AttributeValue> elements, and each value is converted to a String and then used to construct an object of the type specified for the property via a String-based single-argument constructor.

Bean

Untyped, string

Converted to a String used as a name of a Spring bean to build or access

...

Code Block
<AttributeFilterPolicy id="Per-Attribute-singleValued">
	<PolicyRequirementRule xsi:type="ANY"/>

	<AttributeRule attributeID="eduPersonPrincipalName">
		<PermitValueRule xsi:type="EntityAttributeExactMatch"
			attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
			attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
			attributeValue="eduPersonPrincipalName" />
	</AttributeRule>

	<AttributeRule attributeID="mail">
		<PermitValueRule xsi:type="EntityAttributeExactMatch"
			attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
			attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
			attributeValue="mail" />
	</AttributeRule>
</AttributeFilterPolicy>

Reference

...

Beans

Bean ID

Type

Function

RelyingParty.MDDriven                                          

RelyingPartyConfiguration

A template bean for use in defining metadata-driven RelyingParty overrides by hand

RelyingPartyByName.MDDriven

RelyingPartyConfiguration

A template bean for defining metadata-driven RelyingParty overrides based on matching by name

RelyingPartyByGroup.MDDriven

RelyingPartyConfiguration

A template bean for defining metadata-driven RelyingParty overrides based on matching by <EntitiesDescriptor> groups or SAML metadata-based <AffiliationDescriptor> groups

RelyingPartyByEntitiesDescriptor.MDDriven 4.1

RelyingPartyConfiguration

A template bean for defining metadata-driven RelyingParty overrides based on matching by <EntitiesDescriptor> groups only

RelyingPartyByTag.MDDriven

RelyingPartyConfiguration

A template bean for defining metadata-driven RelyingParty overrides based on matching <EntityAttributes> extension content

RelyingPartyByMappedTag.MDDriven

RelyingPartyConfiguration

A template bean for defining metadata-driven RelyingParty overrides based on matching <EntityAttributes> extension content mapped via the AttributeRegistryConfiguration

Shibboleth.SSO.MDDriven

BrowserSSOProfileConfiguration

Default metadata-driven configuration for SAML 1.1 SSO profile

SAML1.AttributeQuery.MDDriven

AttributeQueryProfileConfiguration

Default metadata-driven configuration for SAML 1.1 Attribute Query profile

SAML1.ArtifactResolution.MDDriven

ArtifactResolutionProfileConfiguration

Default metadata-driven configuration for SAML 1.1 Artifact Resolution profile

SAML2.SSO.MDDriven

BrowserSSOProfileConfiguration

Default metadata-driven configuration for SAML 2.0 SSO profile

SAML2.ECP.MDDriven

ECPProfileConfiguration

Default metadata-driven configuration for SAML 2.0 Enhanced Client/Proxy profile

SAML2.Logout.MDDriven

SingleLogoutProfileConfiguration

Default metadata-driven configuration for SAML 2.0 Single Logout profile

SAML2.AttributeQuery.MDDriven

AttributeQueryProfileConfiguration

Default metadata-driven configuration for SAML 2.0 Attribute Query profile

SAML2.ArtifactResolution.MDDriven

ArtifactResolutionProfileConfiguration

Default metadata-driven configuration for SAML 2.0 Artifact Resolution profile

Liberty.SSOS.MDDriven

SSOSProfileConfiguration

Default metadata-driven configuration for Liberty ID-WSF Delegated SSO profile

CAS.LoginConfiguration.MDDriven

LoginConfiguration

Default metadata-driven configuration for CAS login prototol

CAS.ProxyConfiguration.MDDriven

ProxyConfiguration

Default metadata-driven configuration for CAS proxy login protocol

CAS.ValidateConfiguration.MDDriven

ValidateConfiguration

Default metadata-driven configuration for CAS ticket validation protocol

shibboleth.DefaultMDProfileAliases

List<String>

A built-in list of alternate URL "prefixes" to property names, this is used to automate the generation of property tag names that apply to all profiles at the same time.

shibboleth.MDProfileAliases

List<String>

An optional user-supplied list of additional URL prefixes to support custom property tag names

shibboleth.MDDrivenStringProperty

StringConfigurationLookupStrategy

Parent bean for defining new lookup strategies for string settings

shibboleth.MDDrivenBoolProperty

BooleanConfigurationLookupStrategy

Parent bean for defining new lookup strategies for boolean settings

shibboleth.MDDrivenIntProperty

IntegerConfigurationLookupStrategy

Parent bean for defining new lookup strategies for integer settings

shibboleth.MDDrivenLongProperty

LongConfigurationLookupStrategy

Parent bean for defining new lookup strategies for long integer settings

shibboleth.MDDrivenDoubleProperty

DoubleConfigurationLookupStrategy

Parent bean for defining new lookup strategies for double settings

shibboleth.MDDrivenDurationProperty

DurationConfigurationLookupStrategy

Parent bean for defining new lookup strategies for Duration settings

shibboleth.MDDrivenListProperty

ListConfigurationLookupStrategy

Parent bean for defining new lookup strategies for List settings

shibboleth.MDDrivenSetProperty

SetConfigurationLookupStrategy

Parent bean for defining new lookup strategies for Set settings

shibboleth.MDDrivenBeanProperty

BeanConfigurationLookupStrategy

Parent bean for defining new lookup strategies for arbitrary Spring bean settings