...
- Create an attribute definition to use as the basis of the identifier. This can be done directly on top of a raw source attribute or a higher-level attribute definition. The IdPAddAttribute topic includes information on this step.
- Attach SAML 1 Name Identifier and/or SAML 2 NameID attribute encoders to the attribute definition.
Code Block |
---|
| xml |
---|
| xml |
---|
title | Custom Name Identifier Attribute Definitionxml |
---|
|
<resolver:AttributeDefinition id="customId" xsi:type="Simple" sourceAttributeID="uid"
xmlns="urn:mace:shibboleth:2.0:resolver:ad">
<resolver:Dependency ref="DEFINITION_ID_1" />
<resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
<resolver:AttributeEncoder xsi:type="SAML2StringNameID"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
</resolver:AttributeDefinition>
|
...
Finally, define an attribute filter policy that releases the internal attribute to the intended relying parties.
Code Block |
---|
| xml |
---|
| xml |
---|
title | Attribute Filter Policy Releasing Transient ID to Anyonexml |
---|
|
<AttributeFilterPolicy id="releaseCustomIdToPartner">
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://sp.example.org/shibboleth" />
<AttributeRule attributeID="customId">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
|