The <AttributeResolver>
element configures a plugin responsible for obtaining additional identity attributes about the logged in user following a SSO event.
During SSO, the IdP can supply attributes in a "push" fashion inside the SAML assertions it issues. These attributes are decoded with an attribute extractor and cached with the user's session. The purpose of a resolver plugin is to "pull" attributes from additional sources or to transform existing attributes in some way.
Several different Attribute Resolvers are available. They are selected using the type=
attribute. Each type has its own Child Elements and Attributes.