...
The SP translates attributes that it receives on the wire, typically from SAML assertions, using an attribute extractor, typically via the attribute-map.xml configuraton file. The file contains a series of mapping rules that reference the "on the wire" representation and connect it to a more convenient short-hand.
To define a new mapping, ones need one needs to add a new <Attribute>
element. The name
property in the rule corresponds to the formal SAML name the IdP is using for the attribute, generally a URI. The id
property is the shorthand name to use, and determines the environment variable or header by which the attribute will be made available to the web application.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<Attribute name="https://example.org/myAttributes/FavoriteFruit" id="favFruit"/>
|
If the IdP uses an AttributeNamespace
other than urn:mace:shibboleth:1.0:attributeNamespace:uri
(SAML 1.x), or a NameFormat
other than urn:oasis:names:tc:SAML:2.0:attrname-format:uri
or urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
(SAML 2.0) then you must also include a nameFormat
attribute with the corresponding value.
Code Block | ||
---|---|---|
| ||
<Attribute name="https://example.org/myAttributes/FavoriteFruit" id="favFruit" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> |
Custom Decoders
For most attributes, a simple rule as above is sufficient, but if the attribute's values are more than simple strings, a custom <AttributeDecoder>
needs to be supplied inside the <Attribute>
element.
...
Once a mapping is created, the attribute's values, if any, will be available in an environment variable or header corresponding to the rule's id
and/or aliases
properties. Multiple values are separated by a semicolon, and semicolons in values are escaped with a backslash. The data should be interpreted as UTF-8, which is a superset of ASCII.
Externally to an application, you can utilize mapped attributes for static access control. Included with the SP are a pair of plugins, a cross-platform XML-based mechanism and support for Apache .htaccess.