Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
The Prescoped
attribute definition turns a simple string-valued attribute into a two-part scoped attribute by splitting the input attribute into three parts, the value, a (fixed) delimiter, and the scope/suffix. Such attributes can be used as input to the SAML2ScopedStringEncoder and SAML1ScopedStringAttributeEncoder attribute encoders.
The prescoped attribute definition is useful when a data connector returns attributes with values which already have an appropriate scope appended in the source system.
Configuration Reference
Attributes
Any of the common attributes can be specified.
Name | Type | Default | Description |
---|---|---|---|
id | String | Identifier for the IdPAttribute as well as its definition. This is used for logging and to establish dependencies and relationships between connectors and definitions, and to reference the data item in filter rules and many other configuration features. Note that the value MUST NOT contain whitespace, and use of certain other special characters will result in warnings that should be addressed in case the rules are made more strict in future versions. | |
activationConditionRef | Bean Reference | Bean ID of a condition to decide whether to resolve this definition, see here. | |
relyingParties | Space-delimited list | List of entity IDs for which this Attribute Definition should be resolved. | |
excludeRelyingParties 4.1 | Space-delimited list | List of entity IDs for which this Attribute Definition should not be resolved. | |
resolutionPhases 4.1 | space-delimited list | List of resolution phases (i.e. flows) during which this Attribute Definition should be resolved. | |
excludeResolutionPhases 4.1 | space-delimited list | List of resolution phases (i.e. flows) during which this Attribute Definition should not be resolved. | |
dependencyOnly | Boolean | false | If set to true, the attribute is not exposed outside the resolution process and is available solely within the resolution process |
Boolean | false | If set to true, the attribute (and its dependencies) will be resolved in pre-pass and its value made available to other definitions' ActivationConditions. See PreRequestedAttributes for details. | |
profileContextStrategyRef | Bean Reference | DEPRECATED in 4.3 Bean ID of a function injected to override the normal lookup process for the request's ProfileRequestContext |
In addition, the optional scopeDelimiter
attribute defines the delimiter which separates the value from the scope. The default is "@".
Child Elements
Any of the common child elements can be specified.
Name | Cardinality | Description |
---|---|---|
<InputAttributeDefinition> | 0 or more | This element identifies an attribute definition which is an input to this attribute definition. |
<InputDataConnector> | 0 or more | This element identifies a data connector whose attributes are to be input to this attribute definition. |
<AttributeEncoder> | 0 or more | An inline definition of how an attribute will be encoded for inclusion in a message to a relying party. These are distinguished by an Replaceable via the more generic AttributeRegistryConfiguration. |
<DisplayName> | 0 or more | A human readable name for this attribute. This name may, for example, be displayed to the user to consent to the attribute's release. If multiple display names are used, then they should bear an Replaceable via the more generic AttributeRegistryConfiguration. |
<DisplayDescription> | 0 or more | A human readable description of for this attribute. This name may, for example, be displayed to the user to consent to the attribute's release. If multiple display descriptions are used, then they should bear an Replaceable via the more generic AttributeRegistryConfiguration. |
Example
<AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalName"> <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalName" /> <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" /> <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" /> </AttributeDefinition>