A mapped attribute definition creates an attribute by mapping the values of another attribute definition or data connector to one or more different values. The following steps walk through creating a simple attribute definition.
The definition is defined with the element <resolver:AttributeDefinition xsi:type="Mapped" xmlns="urn:mace:shibboleth:2.0:resolver:ad"> with the following required attribute:
and the following optional attributes:
<resolver:AttributeDefinition xsi:type="Mapped" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
id="UNIQUE_ID">
<!-- Remaining configuration from the next step go here -->
</resolver:AttributeDefinition>
|
It is very common for one component, like attribute definitions, within the attribute resolver to depend on information retrieved or constructed from another component.
Dependencies are expressed by the <resolver:Dependency> with a ref attribute whose value is the unique ID of the attribute definition or the data connector that this connector depends on.
<resolver:AttributeDefinition xsi:type="Mapped" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
id="UNIQUE_ID">
<resolver:Dependency ref="DEFINITION_ID_1" />
<resolver:Dependency ref="DEFINITION_ID_2" />
<resolver:Dependency ref="CONNECTOR_ID_3" />
<resolver:Dependency ref="CONNECTOR_ID_4" />
<!-- Remaining configuration from the next step go here -->
</resolver:AttributeDefinition>
|
The mapped attribute definition can contain one or more value maps which define the actual mapping to perform. Each <ValueMap> defines a many-to-one mapping of source values to a return value. Many-to-many mappings can be achieved by using multiple maps. Each <ValueMap> contains a single <ReturnValue> and one or more <SourceValue> elements. The source value strings are regular expressions that are matched against source attributes. If the source attribute matches, it is mapped to the return value. <ReturnValue> may contain regular expression back references to capturing groups in the source value.
<resolver:AttributeDefinition xsi:type="Mapped" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
id="UNIQUE_ID">
<!-- Dependency and Failover information would go here -->
<!-- DefaultValue configuration from the next step go here -->
<ValueMap>
<ReturnValue>RETURN_VALUE</ReturnValue>
<SourceValue>SOURCE_VALUE_1</SourceValue>
<SourceValue>SOURCE_VALUE_2</SourceValue>
<SourceValue>SOURCE_VALUE_3</SourceValue>
</ValueMap>
</resolver:AttributeDefinition>
|
The <SourceValue> element also allows the following advanced configuration attributes controlling how matching is performed:
ignoreCase - boolean; if true, value matching will be case-insensitive; defaults to false. Incompatible with partialMatch.partialMatch - boolean; if true, the <SourceValue> may match only a substring of the incoming value. Otherwise, it must match the entire value; defaults to false. This option is mutually exclusive with a regular expression based <SourceValue>.If a source attribute does not match any of the value maps, the <DefaultValue> will be returned if one is defined. The default value may not contain back references to regular expression capture groups. If you want the original source value to be passed through unmodified, set the <DefaultValue> attribute passThru equal to true. If no default value is defined, source values that do not match a value map will simply be dropped.
Imagine the simple scenario in which you have a data store that contains an attribute myEduAffiliation. This attribute is populated with internal affiliation values for students and instructors, but you would like to map them to the controlled vocabulary used by eduPersonAffiliation. You might have a mapped attribute definition that looks something like this.
<resolver:AttributeDefinition xsi:type="Mapped" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
id="UNIQUE_ID"
sourceAttributeID="myEduAffiliation">
<resolver:Dependency ref="myLDAP" />
<!-- default to the generic value 'affiliate' -->
<DefaultValue>affiliate</DefaultValue>
<!-- map internal values like 'student-worker' and 'undergraduate' to 'student' -->
<ValueMap>
<ReturnValue>student</ReturnValue>
<SourceValue>student-.+</SourceValue>
<SourceValue>undergraduate</SourceValue>
</ValueMap>
<!-- map your internal 'instructor' value to 'faculty' -->
<ValueMap>
<ReturnValue>faculty</ReturnValue>
<SourceValue>instructor</SourceValue>
</ValueMap>
<!-- students and instructors are also 'members' -->
<ValueMap>
<ReturnValue>member</ReturnValue>
<SourceValue>student-.+</SourceValue>
<SourceValue>undergraduate</SourceValue>
<SourceValue>instructor</SourceValue>
</ValueMap>
</resolver:AttributeDefinition>
|
You can also leverage the regular expression power of the mapped attribute definition without using the mapping functionality by simply defining only a single source value. For example, imagine you have a name attribute legalName that is of the form "Last, First". However, you'd like to release that attribute as displayName of the form "First Last".
<resolver:AttributeDefinition xsi:type="Mapped" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
id="UNIQUE_ID"
sourceAttributeID="legalName">
<resolver:Dependency ref="myLDAP" />
<!-- if the name is not in the expected format, just return it as-is -->
<DefaultValue passThru="true" />
<!-- convert 'LastName, FirstName' to 'FirstName LastName' -->
<ValueMap>
<ReturnValue>$2 $1</ReturnValue>
<SourceValue>(.+), (.+)</SourceValue>
</ValueMap>
</resolver:AttributeDefinition>
|