Using this plugin requires that the plugins.so extension library be loaded via the <
Extensions
>
element in the <
OutOfProcess
>
element.
Overview
Identified by type="GSSAPI"
, this AttributeExtractor implements an XML-based rule syntax for designating GSS-API naming extensions to decode into internal attributes.
GSS-API names or contexts can be processed by encoding the exported data in base64, and wrapping in an <am:GSSName>
or <am:GSSContext>
element respectively, to meet the constraints of the API, which are based around XML as input.
This extractor's configuration is implemented as a reloadable XML resource, which means that the XML content can be supplied inline, in a local file, or a remote file, and can be monitored for changes and reloaded on the fly (but see the warning below). The root of the XML in any of those cases MUST be an <am:Attributes>
element, either as a child element in an existing file or the root of a different file.
Each <am:GSSAPIAttribute>
child element installs a rule for extracting a particular GSS naming extension attribute into an internal SP attribute. The source of the attribute is identified with the name
XML attributes and internally tagged by the id.
Multiple <am:GSSAPIAttribute>
rules can share the same id
; the implication is that a given internal name may be mapped from multiple externally-named sources to consolidate multiple sources down into one representation.
Reference
Attributes
Aside from the type="XML"
attribute itself, there is no other attribute content specific to this plugin type.
It supports all of the attributes common to all reloadable configuration resources:
Names | Type | Default | Description |
---|---|---|---|
id | string |
| Identifies the component for logging purposes. |
url | URL |
| Remote location of an XML resource containing the required configuration. The SP does not verify the transport (i.e. it does not verify the X.509 certificate presented by the remote server when HTTPS is the transport). |
path | local path |
| Path to a local file containing the required configuration |
validate | boolean | false | If true, XML validation is performed when loading the resource |
reloadChanges | boolean | true | If a path attribute is used, the local file is monitored for changes and reloaded dynamically. This incurs some runtime overhead for locking, so should be disabled if not needed. |
maxRefreshDelay | time in seconds | 0 | If a url attribute is used, this attribute sets the time between attempts to download a fresh copy of the resource. If 0 (the default), no reloading occurs. This incurs some runtime overhead for locking, so should be left at 0 if not needed |
reloadInterval |
|
| Synonym for maxRefreshDelay |
backingFilePath | local path |
| If a url attribute is used, the downloaded resource is copied to this location. If the software is started and the remote resource is unavailable or invalid, the backing file is loaded instead |
certificate | local path |
| Path to a certificate containing a public key to use to require and verify an XML signature over the resource. The certificate's other content is ignored. |
signerName | string |
| If present, the name is supplied to the <TrustEngine> used to verify an XML signature over the resource. A certificate containing the name must be available in the verification process (typically inside the signature). |
Child Elements
The following child element must be provided, either inline, or as the root element of a local or remote XML resource to load from, which would be specified via the attribute(s) above.
Name | Cardinality | Description |
---|---|---|
<am:Attributes> | 1 | Root element of configuration |
When a non-inline configuration is used, it supports the following child elements common to all reloadable configuration resources.
These child elements are typically only used when relying on a remote configuration resource and are for advanced use cases.
Name | Cardinality | Description | |
---|---|---|---|
0 or 1 | Used to require the presence of a top-level signature over the entire resource and to control the verification process | ||
0 or 1 | Used to require the presence of a top-level signature over the entire resource and to control the verification process. Mutually exclusive with the | ||
0 or more | Provides low-level control over the library used to remotely access the resource |
<am:Attributes>
Element Reference
This is the root element of the mapping configuration.
Child Elements
The following child element content is supported:
Name | Cardinality | Description | |
---|---|---|---|
<am:GSSAPIAttribute> | 1 or more | An extraction rule |
<am:GSSAPIAttribute>
Element Reference
Each <am:GSSAPIAttribute>
element describes an extraction rule, the core of this plugin's behavior.
Attributes
An extraction rule supports the following XML attributes:
Name | Type | Req? | Default | Description |
---|---|---|---|---|
id | string | Y | Name of the attribute to create | |
name | string | Y | GSS-API naming extension attribute to extract from | |
authenticated | boolean | true | If true, only authenticated GSS-API naming attributes are processed | |
scopeDelimeter | character | If set, all values of the naming attribute must contain the character, and it is used to split the value into a two-part construct expressed as a scoped attribute | ||
binary | boolean | false | If set, this overrides the |
Examples
A typical non-inline configuration of this plugin is:
Specifying a GSSAPI Extractor in another file
<AttributeExtractor type="GSSAPI" reloadChanges="false" path="gss-api.xml"/>
A simple example configuration:
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map"> <GSSAPIAttribute name="urn:ietf:params:gss-eap:radius-avp urn:x-radius:1" id="radius-1"/> </Attributes>