Page Comparison

...

The SP translates attributes that it receives on the wire, typically from SAML assertions, using an attribute extractor, typically via the attribute-map.xml configuraton file. The file contains a series of mapping rules that reference the "on the wire" representation and connect it to a more convenient short-hand.

To define a new mapping, ones need one needs to add a new <Attribute> element. The name property in the rule corresponds to the formal SAML name the IdP is using for the attribute, generally a URI. The id property is the shorthand name to use, and determines the environment variable or header by which the attribute will be made available to the web application.

<Attribute name="https://example.org/myAttributes/FavoriteFruit" id="favFruit"/>

If the IdP uses an AttributeNamespace other than urn:mace:shibboleth:1.0:attributeNamespace:uri (SAML 1.x), or a NameFormat other than urn:oasis:names:tc:SAML:2.0:attrname-format:uri or urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified  (SAML 2.0) then you must also include a nameFormat attribute with the corresponding value.

<Attribute name="https://example.org/myAttributes/FavoriteFruit" id="favFruit" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>

Custom Decoders

For most attributes, a simple rule as above is sufficient, but if the attribute's values are more than simple strings, a custom <AttributeDecoder> needs to be supplied inside the <Attribute> element.

...

Once a mapping is created, the attribute's values, if any, will be available in an environment variable or header corresponding to the rule's id and/or aliases properties. Multiple values are separated by a semicolon, and semicolons in values are escaped with a backslash. The data should be interpreted as UTF-8, which is a superset of ASCII.

Externally to an application, you can utilize mapped attributes for static access control. Included with the SP are a pair of plugins, a cross-platform XML-based mechanism and support for Apache .htaccess.