The Shibboleth IdP V4 software will leave support on September 1, 2024.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd

Overview

The SubjectDerivedAttribute AttributeDefinition exposes attributes values derived from the Java Subject(s) produced by the authentication flow(s) used to authenticate the subject of the profile request.

In most cases, the SubjectDataConnector is a more useful option because it can produce multiple attributes at once, and the new exporting feature allows them to be used without additional configuration.

A configuration shortcut allows for the values from any IdPAttribute objects contained inside IdPAttributePrincipal objects to be pulled out, which is an effective way to tunnel attribute data from outside the IdP provided by the External authentication flow.

Reference

Examples

The following locates an IdPAttribute named "Whatever" in an authenticated Subject and turns it into a new IdPAttribute named "SomethingElse".

<AttributeDefinition xsi:type="SubjectDerivedAttribute"
	id="SomethingElse" principalAttributeName="Whatever">

The following locates an IdPAttribute named "Whatever" in a Subject undergoing attribute-sourced C14N (such as a proxied SAML login) and turns it into a new IdPAttribute named "SomethingElse".

<AttributeDefinition xsi:type="SubjectDerivedAttribute" forCanonicalization="true"
	id="SomethingElse" principalAttributeName="Whatever">


  • No labels