The Shibboleth IdP V4 software will leave support on September 1, 2024.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 13 Current »

Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd

Overview

The Subject DataConnector exposes IdPAttribute objects contained within Java Subject(s). It examines Subject(s) and extracts all IdPAttributePrincipal custom principal objects and their wrapped IdPAttribute objects and directly exposes them as the outputs of the connector.


The primary use case for this connector is dealing with the results of external/proxied authentication sources that pass attribute data into the IdP. It can operate in a couple of different modes, either operating against Subjects produced as a result of authentication, or against a Subject undergoing SubjectCanonicalization for use in deriving a principal name.

This is a more streamlined "bulk" alternative to the SubjectDerivedAttribute attribute definition, which can extract only a single attribute at a time. Via the new exporting feature, this connector can expose all of the data at once as a passthrough to support proxying of data.

Reference

 Specific XML Attributes

Name

Type

Default

Description

noResultIsError

Boolean

false

Controls whether the extraction of no data constitutes a resolution error, which can trigger failover or fail the resolution outright

forCanonicalization

Boolean

false

If true, a Subject undergoing SubjectCanonicalization is used as input rather than the default of looking for previously completed authentication results

 Common XML Attributes

Name

Type

Default

Description

id

String


Identifier for the DataConnector. This is used for logging, to establish dependencies, and as a target for failover.

activationConditionRef

Bean ID


Bean ID of a condition to decide whether to resolve this connector, see here.
Mutually exclusive with relyingParties and resolutionPhases and variants

relyingParties

Space-delimited list


List of entity IDs for which this connector should be resolved.
Mutually exclusive with activationConditionRef

excludeRelyingParties 4.1

Space-delimited list


List of entity IDs for which this connector should not be resolved.
Mutually exclusive with activationConditionRef

resolutionPhases 4.1

Space-delimited list


List of resolution phases (i.e. flows) during which this connector should be resolved.
Mutually exclusive with activationConditionRef

excludeResolutionPhases 4.1

Space-delimited list


List of resolution phases (i.e. flows) during which this connector should not be resolved.
Mutually exclusive with activationConditionRef

exportAttributes

Space-delimited list


List of attributes produced by the DataConnector that should be directly exported as resolved IdPAttributes without requiring actual AttributeDefinitions.

In the case of a name clash (a DataConnector exports an attribute with the same name as an AttributeDefinition, or another DataConnector exports the same attribute) the DataConnector attribute is NOT added and a warning issued.

noRetryDelay

Duration

0

Time between retries of a failed DataConnector (during the interval, failure is just assumed when the connector is run and no actual connection is attempted)

propagateResolutionExceptions

Boolean

true

Whether connector/plugin failure is fatal to the entire attribute resolution process

The following table contains advanced settings rarely used in common practice.

These are all DEPRECATED in 4.3

Name

Type

Description

springResources

String

DEPRECATED  in 4.3

A series of ';' separated resource names which contain Spring definitions for this connector.

Not valid for ComputedId and Stored DataConnector.

springResourcesRef

Bean ID

DEPRECATED  in 4.3

Bean ID of a List<Resource> which contain Spring definitions for this connector. See below.
Not valid for Computed and Stored DataConnector

factoryPostProcessorsRef

Bean ID

DEPRECATED  in 4.3

Bean ID of a List<BeanFactoryPostProcessor> for use when parsing the resources specified by springResources or springResourcesRef

postProcessorsRef

Bean ID

DEPRECATED  in 4.3

Bean ID of a List<BeanPostProcessor> for use when parsing the resources specified by springResources or springResourcesRef

profileContextStrategyRef

Bean ID

DEPRECATED  in 4.3

Bean ID of a function injected to override the normal lookup process for the request's ProfileRequestContext

 Common XML Elements

Name

Cardinality

Description

<InputAttributeDefinition>

0 or more

This element identifies an attribute definition which is an input to this data connector

<InputDataConnector>

0 or more

This element identifies a data connector whose attributes are to be input to this data conector

<FailoverDataConnector>   

0 or 1

This element has a single attribute ref="whatever" whose content is the identifier of a data connector to resolve if this data connector fails (for instance due to the external data source being unavailable)

Example

Example of a Subject DataConnector
<DataConnector id="passthroughAttributes" xsi:type="Subject" exportAttributes="foo bar baz" />


  • No labels