TemplateAttributeDefinition

Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd

1 Overview
2 Reference
3 Example

Overview

The Template AttributeDefinition generates output values by merging the input values of its source attributes into a Velocity template string (essentially an inline template).

All the input attributes must contain the same number of input values (null or empty values take up a spot and are included in this count).

Any type of attribute value can be injected into a template; however, scoped attribute values will only supply the unscoped/value portion.

Note that it's usually an anti-pattern to use an <InputDataConnector> with the allAttributes property, because this will only work correctly if all the inputs have the same number of values. If you have result sets (e.g. from LDAP) that don't satisfy this rule, just make sure to enumerate the attributes you need. This used to be handled with an extra configuration element called <SourceAttribute> but this is no longer needed because of the new dependency syntax and is no longer supported.

Reference

Name	Type	Description

Name	Type	Description
velocityEngine	string	Bean ID of an externally defined (using native Spring syntax) VelocityEngine, rarely needed

Name	Cardinality	Description

Name	Cardinality	Description
<Template>	1	Contains the template string

Name	Type	Default	Description

Name	Type	Default	Description
id	String		Identifier for the IdPAttribute as well as its definition. This is used for logging and to establish dependencies and relationships between connectors and definitions, and to reference the data item in filter rules and many other configuration features. Note that the value MUST NOT contain whitespace, and use of certain other special characters will result in warnings that should be addressed in case the rules are made more strict in future versions.
activationConditionRef	Bean Reference		Bean ID of a condition to decide whether to resolve this definition, see here. Mutually exclusive with `relyingParties` and `resolutionPhases` and variants
relyingParties	Space-delimited list		List of entity IDs for which this Attribute Definition should be resolved. Mutually exclusive with `activationConditionRef`
excludeRelyingParties	Space-delimited list		List of entity IDs for which this Attribute Definition should not be resolved. Mutually exclusive with `activationConditionRef`
resolutionPhases	space-delimited list		List of resolution labels for which this Attribute Definition should be resolved; this corresponds to values that are sometimes set in the AttributeResolutionContext’s “resolutionLabel” field. Mutually exclusive with `activationConditionRef`
excludeResolutionPhases	space-delimited list		List of resolution labels for which this Attribute Definition should not be resolved; this corresponds to values that are sometimes set in the AttributeResolutionContext’s “resolutionLabel” field. Mutually exclusive with `activationConditionRef`
dependencyOnly	Boolean	false	If set to true, the attribute is not exposed outside the resolution process and is available solely within the resolution process
preRequested	Boolean	false	If set to true, the attribute (and its dependencies) will be resolved in pre-pass and its value made available to other definitions' ActivationConditions. See PreRequestedAttributes for details.
propagateResolutionExceptions	Boolean	true	Whether connector/plugin failure is fatal to the entire attribute resolution process. If this is set to false the error is logged and no values are returned for this attribute.

Name	Cardinality	Description

Name	Cardinality	Description
<InputAttributeDefinition>	0 or more	This element identifies an attribute definition which is an input to this attribute definition.
<InputDataConnector>	0 or more	This element identifies a data connector whose attributes are to be input to this attribute definition.
<AttributeEncoder>	0 or more	An inline definition of how an attribute will be encoded for inclusion in a message to a relying party. These are distinguished by an `xsi:type` attribute, and the different types are documented here. Replaceable via the more generic AttributeRegistryConfiguration.
<DisplayName>	0 or more	A human readable name for this attribute. This name may, for example, be displayed to the user to consent to the attribute's release. If multiple display names are used, then they should bear an `xml:lang` attribute to distinguish them. Replaceable via the more generic AttributeRegistryConfiguration.
<DisplayDescription>	0 or more	A human readable description of for this attribute. This name may, for example, be displayed to the user to consent to the attribute's release. If multiple display descriptions are used, then they should bear an `xml:lang` attribute to distinguish them. Replaceable via the more generic AttributeRegistryConfiguration.

These properties are shared by all (non view) users of velocity template rendering (https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199503434 , https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199503637 , https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199503855 ,https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199504140 ,https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199504451 and https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199506816 )

Property Name	Default	Controls

Property Name	Default	Controls
idp.velocity.runtime.strictmode	false	How errors in the template are handled. By default, non-existent variables are silently passed through unconverted (e.g. ${foo}). See this link
idp.velocity.space.gobbling	bc	See this link.

Example

<AttributeDefinition id="template" xsi:type="Template">
    <InputAttributeDefinition ref="OtherAttr" />
    <InputDataConnector ref="myLdap" attributeNames="attrFromLdap" />
    <Template>${attrFromLdap}::${OtherAttr}</Template>
</AttributeDefinition>