The Shibboleth IdP V4 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP5 wiki space for current documentation on the supported version.
AttributeDefinitionConfiguration
Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
- 1 Overview
- 2 AttributeDefinition Plugin Types
- 2.1 Simple
- 2.2 PrincipalName
- 2.3 Scoped
- 2.4 Prescoped
- 2.5 RegexSplit
- 2.6 ScriptedAttribute
- 2.7 Mapped
- 2.8 Template
- 2.9 SubjectDerived
- 2.10 ContextDerived
- 2.11 Decrypted 4.1
- 2.12 DateTime 4.3
- 3 Reference
Overview
AttributeDefintions produce a single IdPAttribute object, a neutral/internal representation of data. These objects eventually become SAML Attributes, OIDC claims, or other protocol-specific represenations through a process called "encoding". Encoding rules are established either through generic rules established via the AttributeRegistryConfiguration or, as in older versions, by attaching AttributeEncoder plugins within the Attribute Definition.
The ability to attach encoders is what distinguishes the product of an AttributeDefinition from an IdPAttribute produced by DataConnectors, so the difference has started to become somewhat historical with the new registry service providing a more generic facility.
Attribute definitions may also, but need not, be based on the output of a DataConnector, and often transform their input.
AttributeDefinition Plugin Types
An AttributeDefinition is defined using the <AttributeDefinition>
element, but each type of definition is distinguished by its "XML schema type", which is carried by the xsi:type
XML attribute.
The following types are supported:
xsi:type | Function |
---|---|
Simple | Copies an input attribute to an output attribute. Typically this was used to 'expose' attributes sourced from a DataConnector, and is often superfluous now with the ability to export attributes from them directly. |
PrincipalName | Exposes the subject's canonicalized principal name as a single-valued attribute |
Scoped | Applies a (fixed) scope to the input attribute's values |
Prescoped | Splits input attribute values into values and scopes |
RegexSplit | Splits input attribute values according to a regular expression |
ScriptedAttribute | Generates an attributes using a JSR-223 script |
Mapped | Allows many to many mapping of input values to output values according to regular expression mapping rules |
Template | Feeds the input values (potentially from multiple input attributes) into a Velocity template to construct output values |
SubjectDerived | Extracts individual attribute data from authenticated Subject(s), this is frequently better handled now by the Subject DataConnector |
ContextDerived | Extract arbitrary data from the request context via a Function bean |
Decrypted 4.1 | Decrypt input values using a DataSealer |
DateTime 4.3 | Convert string input values into date/time values |
Reference
All connectors support a set of common XML Attributes and Elements for configuring common behavior.