AttributeDefinitionConfiguration

Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd

Overview

AttributeDefintions produce a single IdPAttribute object, a neutral/internal representation of data. These objects eventually become SAML Attributes, OIDC claims, or other protocol-specific represenations through a process called "encoding". Encoding rules are established either through generic rules established via the AttributeRegistryConfiguration or, as in older versions, by attaching AttributeEncoder plugins within the Attribute Definition.

The ability to attach encoders is what distinguishes the product of an AttributeDefinition from an IdPAttribute produced by DataConnectors, so the difference has started to become somewhat historical with the new registry service providing a more generic facility.

Attribute definitions may also, but need not, be based on the output of a DataConnector, and often transform their input.

AttributeDefinition Plugin Types

An AttributeDefinition is defined using the (naturally) <AttributeDefinition> element, but each type of definition is distinguished by its "XML schema type", which is carried by the xsi:type XML attribute.

The following types are supported:

xsi:type

Function

xsi:type

Function

Simple

Copies an input attribute to an output attribute. Typically this was used to 'expose' attributes sourced from a DataConnector, and is often superfluous now with the ability to export attributes from them directly.

PrincipalName

Exposes the subject's canonicalized principal name as a single-valued attribute

Scoped

Applies a (fixed) scope to the input attribute's values

Prescoped

Splits input attribute values into values and scopes

RegexSplit

Splits input attribute values according to a regular expression

ScriptedAttribute

Generates an attributes using a JSR-223 script

Mapped

Allows many to many mapping of input values to output values according to regular expression mapping rules

Template

Feeds the input values (potentially from multiple input attributes) into a Velocity template to construct output values

SubjectDerived

Extracts individual attribute data from authenticated Subject(s), this is frequently better handled now by the Subject DataConnector

ContextDerived

Extract arbitrary data from the request context via a Function bean

Decrypted 4.1

Decrypt input values using a DataSealer.

Reference

All connectors support a set of common XML Attributes and Elements for configuring common behavior.