You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 2
Next »
Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
Overview
The Simple attribute definition copies input attributes to an output attribute.
Historically this was used to 'expose' attributes sourced from a DataConnector, turning them from internal data into "real" attribute objects. This is no longer required as a DataConnector can "export" its results to produce first-order attribute objects if they require no post-processing.
Remaining use cases for this definition include (not exhaustively):
Attaching <AttributeEncoder> plugins (or <Display> and <Description> elements) in the event that you prefer that to relying on the AttributeRegistryConfiguration
Combining multiple source attributes into a new attribute containing a union of values
Duplicating an existing attribute under a separate ID
Conditionally producing an attribute object using an activation condition
Pre-resolving an attribute so it can be used within another connector or definition's activation condition. See PreRequestedAttributes.
Configuring this definition typically requires adding at least one <InputAttributeDefinition> or <InputDataConnector> element.
Reference
Specific XML Attributes
Name | Type | Default | Description |
|---|
ignoreNullValues 4.2
| boolean | false | If set to true then nulls values are removed during attribute resolution. |
Common XML Attributes
Name | Type | Default | Description |
|---|
id | String |
| Identifier for the IdPAttribute as well as its definition. This is used for logging and to establish dependencies and relationships between connectors and definitions, and to reference the data item in filter rules and many other configuration features. Note that the value MUST NOT contain whitespace, and use of certain other special characters will result in warnings that should be addressed in case the rules are made more strict in future versions. |
activationConditionRef | Bean Reference |
| Bean ID of a condition to decide whether to resolve this definition, see here.
Mutually exclusive with relyingParties and resolutionPhases and variants |
relyingParties | Space-delimited list |
| List of entity IDs for which this Attribute Definition should be resolved.
Mutually exclusive with activationConditionRef |
excludeRelyingParties | Space-delimited list |
| List of entity IDs for which this Attribute Definition should not be resolved.
Mutually exclusive with activationConditionRef |
resolutionPhases | space-delimited list |
| List of resolution labels for which this Attribute Definition should be resolved; this corresponds to values that are sometimes set in the AttributeResolutionContext’s “resolutionLabel” field.
Mutually exclusive with activationConditionRef |
excludeResolutionPhases | space-delimited list |
| List of resolution labels for which this Attribute Definition should not be resolved; this corresponds to values that are sometimes set in the AttributeResolutionContext’s “resolutionLabel” field.
Mutually exclusive with activationConditionRef |
dependencyOnly | Boolean | false | If set to true, the attribute is not exposed outside the resolution process and is available solely within the resolution process |
preRequested | Boolean | false | If set to true, the attribute (and its dependencies) will be resolved in pre-pass and its value made available to other definitions' ActivationConditions. See PreRequestedAttributes for details. |
propagateResolutionExceptions | Boolean | true | Whether connector/plugin failure is fatal to the entire attribute resolution process.
If this is set to false the error is logged and no values are returned for this attribute. |
Common XML Elements
Name | Cardinality | Description |
|---|
<InputAttributeDefinition> | 0 or more | This element identifies an attribute definition which is an input to this attribute definition. |
<InputDataConnector> | 0 or more | This element identifies a data connector whose attributes are to be input to this attribute definition. |
<AttributeEncoder> | 0 or more | An inline definition of how an attribute will be encoded for inclusion in a message to a relying party. These are distinguished by an xsi:type attribute, and the different types are documented here. Replaceable via the more generic AttributeRegistryConfiguration. |
<DisplayName> | 0 or more | A human readable name for this attribute. This name may, for example, be displayed to the user to consent to the attribute's release. If multiple display names are used, then they should bear an xml:lang attribute to distinguish them. Replaceable via the more generic AttributeRegistryConfiguration. |
<DisplayDescription> | 0 or more | A human readable description of for this attribute. This name may, for example, be displayed to the user to consent to the attribute's release. If multiple display descriptions are used, then they should bear an xml:lang attribute to distinguish them. Replaceable via the more generic AttributeRegistryConfiguration. |
Example
In this example, the eduPersonEntitlement attribute is produced by merging two sources of entitlements to get the final set of values. If there were only a single source of values, the definiton would likely be unneeded.
<AttributeDefinition xsi:type="ad:Simple" id="eduPersonEntitlement">
<InputDataConnector ref="myLDAP" attributeNames="eduPersonEntitlement" />
<InputDataConnector ref="groupDatabase" attributeNames="groupURLs" />
</AttributeDefinition>