Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

This is not the default behavior, so must generally be changed by adding a RelyingParty definition to relying-party.xml with a specially crafted ShibbolethSSOProfile configuration with the includeAttributeStatement flag.

Code Block
xml
xml
titleExample RelyingParty configuration for attribute push with SAML 1.1xml
<RelyingParty id="https://sp.example.org/samlentity"
  provider="https://idp.example.org/idp/shibboleth"
  defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">
   <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" includeAttributeStatement="true"/>
</RelyingParty>

...

A common example is the "eduPersonPrincipalName" attribute. Ordinarily, the SAML name of this attribute is "urn:mace:dir:attribute-def:eduPersonPrincipalName", but the name of the simpler formulation (which is ironically more complex) is "urn:oid:1.3.6.1.4.1.5923.1.1.1.6".

Code Block
xml
xml
titleExample Attribute Definition for eduPersonPrincipalNamexml
<resolver:AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
    scope="example.org" sourceAttributeID="uid">
    <resolver:Dependency ref="myLDAP" />

    <resolver:AttributeEncoder xsi:type="SAML1ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
        name="urn:mace:dir:attribute-def:eduPersonPrincipalName" />

    <!-- additional definition for use with commercial SAML 1.1 SPs -->
    <resolver:AttributeEncoder xsi:type="SAML1ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
        name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" scopeType="inline" />

    <resolver:AttributeEncoder xsi:type="SAML2ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
        name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" />

</resolver:AttributeDefinition>

...