...
In general, extractors can be handed many different XML element types and are free to process them or ignore them as their implementation or configuration dictates.
Table of Contents |
---|
...
Common Attributes
type
(string)- Plugin type name.
...
Indicated by type="XML"
, implements an XML-based rule syntax for designating SAML attributes and name identifiers to decode into internal attributes. The plugin supports extraction of SAML attributes and name identifiers from the following SAML constructs (it does not know how to pull any other data from these elements, only attributes and name identifiers):
<saml:Assertion>
<saml:Attribute>
<saml:NameIdentifier>
<saml2:Assertion>
<saml2:Attribute>
<saml2:NameID>
<saml2:EncryptedAttribute>
...
The XML attribute extractor's XML "portion" is a reloadable resource, which means that the XML content can be supplied inline, in a local file, or a remote file, and can be monitored for changes and reloaded on the fly. The root of the XML instance MUST be an <am:Attributes>
element.
Code Block | ||||
---|---|---|---|---|
| ||||
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Attribute name="urn:oid:2.5.4.3" id="cn"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
</Attributes>
|
...
Each <am:Attribute>
element installs a rule for extracting a named SAML attribute or name identifier into an internal attribute. The source of the attribute is identified with the name
(and possibly nameFormat
) XML attributes and internally tagged with the id
(and possibly aliases
) XML attributes. The aliases
feature is deprecated and may be removed from a future release, consider revising to use the AttributeResolver.
The name
property corresponds to the Name
XML attribute of a SAML <Attribute>
element or the Format
XML attribute of a SAML <NameID>
/<NameIdentifier>
element.
The Shibboleth SP by default will install rules using a nameFormat
of urn:mace:shibboleth:1.0:attributeNamespace:uri
and urn:oasis:names:tc:SAML:2.0:attrname-format:uri
to accomodate all SAML versions. The nameFormat
property can be omitted unless a non-standard non-URI-based different NameFormat
is being used. The This property is also omitted/ignored when extracting information from a <NameID>
/<NameIdentifier>
element.
...
Indicated by type="Assertion"
, allows well-defined content from within a SAML assertion to be extracted and passed to an application as an attribute. This supplements older support for extracting a fixed set of information from the assertion and populating well-defined variables/headers (e.g., the Shib-Identity-Provider header and so forth).
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<AttributeExtractor type="Assertion"
Issuer="Shib-Identity-Provider"
AuthnInstant="Shib-Authentication-Instant"
AuthnContextClassRef="Shib-AuthnContext-Class"
AuthnContextDeclRef="Shib-AuthnContext-Decl"
SessionIndex="Shib-Session-Index"
/>
|
...
Indicated by type="Metadata"
, allows well-defined content from within SAML metadata to be extracted and passed to an application as an attribute. This plugin executes only when extraction of an <md:RoleDescriptor>
(or one of its concrete subtypes) is done, which is dependent on the use of the metadataAttributePrefix
application setting.
Code Block | ||||
---|---|---|---|---|
| ||||
<AttributeExtractor type="Metadata" errorURL="errorURL" DisplayName="displayName"/>
|
...
The attribute extractor's configuration is a reloadable resource, which means that the XML content can be supplied inline, in a local file, or a remote file, and can be monitored for changes and reloaded on the fly. The root of the XML instance MUST be an <am:Attributes>
element.
Code Block | ||||
---|---|---|---|---|
| ||||
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<GSSAPIAttribute name="urn:ietf:params:gss-eap:radius-avp urn:x-radius:1" id="radius-1"/>
</Attributes>
|
...