Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
Overview
The SubjectDerivedAttribute AttributeDefinition exposes attributes values derived from the Java Subject(s) produced by the authentication flow(s) used to authenticate the subject of the profile request.
In most cases, the SubjectDataConnector is a more useful option because it can produce multiple attributes at once, and the new exporting feature allows them to be used without additional configuration.
A configuration shortcut allows for the values from any IdPAttribute objects contained inside IdPAttributePrincipal objects to be pulled out, which is an effective way to tunnel attribute data from outside the IdP provided by the External authentication flow.
Reference
Specific XML Attributes
The source of the Subject(s) to evaluate is controlled with:
Name | Type | Default | Description |
|---|
forCanonicalization | Boolean | false | If true, a Subject undergoing SubjectCanonicalization is used as input rather than the default of looking for authenticated Subjects |
Exactly one of the following must be provided (but not both):
Name | Type | Description |
|---|
principalAttributeName | String | The name of an IdPAttribute found inside an IdPAttributePrincipal contained in one of the authenticated Subject(s) |
attributeValuesFunctionRef | Bean ID | The name of a Spring Bean implementing Function<Principal,List<IdPAttributeValue>>, this function will be invoked for each Principal found within the authenticated Subject(s), instead of relying on default behavior |
Common XML Attributes
Name | Type | Default | Description |
|---|
id | String |
| Identifier for the IdPAttribute as well as its definition. This is used for logging and to establish dependencies and relationships between connectors and definitions, and to reference the data item in filter rules and many other configuration features. Note that the value MUST NOT contain whitespace, and use of certain other special characters will result in warnings that should be addressed in case the rules are made more strict in future versions. |
activationConditionRef | Bean Reference |
| Bean ID of a condition to decide whether to resolve this definition, see here.
Mutually exclusive with relyingParties and resolutionPhases and variants |
relyingParties | Space-delimited list |
| List of entity IDs for which this Attribute Definition should be resolved.
Mutually exclusive with activationConditionRef |
excludeRelyingParties | Space-delimited list |
| List of entity IDs for which this Attribute Definition should not be resolved.
Mutually exclusive with activationConditionRef |
resolutionPhases | space-delimited list |
| List of resolution labels for which this Attribute Definition should be resolved; this corresponds to values that are sometimes set in the AttributeResolutionContext’s “resolutionLabel” field.
Mutually exclusive with activationConditionRef |
excludeResolutionPhases | space-delimited list |
| List of resolution labels for which this Attribute Definition should not be resolved; this corresponds to values that are sometimes set in the AttributeResolutionContext’s “resolutionLabel” field.
Mutually exclusive with activationConditionRef |
dependencyOnly | Boolean | false | If set to true, the attribute is not exposed outside the resolution process and is available solely within the resolution process |
preRequested | Boolean | false | If set to true, the attribute (and its dependencies) will be resolved in pre-pass and its value made available to other definitions' ActivationConditions. See PreRequestedAttributes for details. |
propagateResolutionExceptions | Boolean | true | Whether connector/plugin failure is fatal to the entire attribute resolution process.
If this is set to false the error is logged and no values are returned for this attribute. |
Common XML Elements
At least one dependency element is required.
Name | Cardinality | Description |
|---|
<InputAttributeDefinition> | 0 or more | This element identifies an attribute definition which is an input to this attribute definition. |
<InputDataConnector> | 0 or more | This element identifies a data connector whose attributes are to be input to this attribute definition. |
<AttributeEncoder> | 0 or more | An inline definition of how an attribute will be encoded for inclusion in a message to a relying party. These are distinguished by an xsi:type attribute, and the different types are documented here. Replaceable via the more generic AttributeRegistryConfiguration. |
<DisplayName> | 0 or more | A human readable name for this attribute. This name may, for example, be displayed to the user to consent to the attribute's release. If multiple display names are used, then they should bear an xml:lang attribute to distinguish them. Replaceable via the more generic AttributeRegistryConfiguration. |
<DisplayDescription> | 0 or more | A human readable description of for this attribute. This name may, for example, be displayed to the user to consent to the attribute's release. If multiple display descriptions are used, then they should bear an xml:lang attribute to distinguish them. Replaceable via the more generic AttributeRegistryConfiguration. |
Examples
The following locates an IdPAttribute named "Whatever" in an authenticated Subject and turns it into a new IdPAttribute named "SomethingElse".
<AttributeDefinition xsi:type="SubjectDerivedAttribute"
id="SomethingElse" principalAttributeName="Whatever">
The following locates an IdPAttribute named "Whatever" in a Subject undergoing attribute-sourced C14N (such as a proxied SAML login) and turns it into a new IdPAttribute named "SomethingElse".
<AttributeDefinition xsi:type="SubjectDerivedAttribute" forCanonicalization="true"
id="SomethingElse" principalAttributeName="Whatever">