{"type":"doc","content":[{"type":"paragraph","content":[{"text":"Current Files(s)","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}},{"type":"strong"}]},{"text":" conf/c14n/subject-c14n.properties, conf/c14n/subject-c14n.xml, conf/attribute-resolver.xml","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}},{"type":"em"}]},{"type":"hardBreak"},{"text":"Format:","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}},{"type":"strong"}]},{"text":" Properties, Native Spring","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"type":"hardBreak"}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{"minLevel":{"value":"1"},"maxLevel":{"value":"3"}},"macroMetadata":{"macroId":{"value":"7a1022d737206d8fa390965ac393d0e8"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"4f82b1eb-89c0-4345-9019-07974299a35d"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Overview","type":"text"}]},{"type":"panel","attrs":{"panelType":"note"},"content":[{"type":"paragraph","content":[{"text":"In V5.2, the name of this method was altered to allow for the enhanced c14n features introduced in that version to be added without breakage. The implications of this are minimal but are discussed below where relevant.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"The “attribute-sourced” (legacy name, “attribute”) post-login subject c14n method extracts a username from an ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"IdPAttribute","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}},{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-attribute.cgi/net.shibboleth.idp.attribute.IdPAttribute"}}]},{"text":" resolved (primarily) using the ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"attribute resolution","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}},{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199502864"}}]},{"text":" function within the IdP. A common use for this flow is to perform a directory or database lookup to map information derived from the authentication process (e.g., a value input by a person) into a different value for use within the IdP.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]}]},{"type":"paragraph","content":[{"text":"A secondary feature allows for a Java ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"Subject","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}},{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/javax.security.auth.Subject"}}]},{"text":" that contains one or more ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"IdPAttributePrincipal","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}},{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.authn.principal.IdPAttributePrincipal"}}]},{"text":" objects to be processed directly for an ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"IdPAttribute","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}},{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-attribute.cgi/net.shibboleth.idp.attribute.IdPAttribute"}}]},{"text":" to pull the value from. This is primarily of use with various \"external\" authentication options such as ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"SAML proxying","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}},{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505973"}}]},{"text":", allowing a SAML Attribute decoded from another IdP to be directly consumed and used as a canonical name without the hassle of the attribute resolution process (and configuration). This feature can be leveraged by adjusting various properties (see below) to disable use of the Attribute Resolver and reference the Java ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"Subject","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}},{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/javax.security.auth.Subject"}}]},{"text":" directly (note this is ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"not","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}},{"type":"em"}]},{"text":" referring to the SAML ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" element but to the Java object created as a result of all successful authentication flows in the IdP).","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Configuration","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Method Settings","type":"text"}]},{"type":"paragraph","content":[{"text":"Use ","type":"text"},{"text":"conf/c14n/subject-c14n.properties","type":"text","marks":[{"type":"em"}]},{"text":" to configure this method, along with the ","type":"text"},{"text":"AttributeResolverConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199502864"}}]},{"text":".","type":"text"}]},{"type":"paragraph","content":[{"text":"If your system is upgraded, you may continue to use ","type":"text"},{"text":"conf/c14n/attribute-sourced-subject-c14n-config.xml","type":"text","marks":[{"type":"em"}]},{"text":" as before, or you may remove it, while ensuring the new properties are being loaded.","type":"text"}]},{"type":"paragraph","content":[{"text":"There are two ways this method can locate a suitable ","type":"text"},{"text":"IdPAttribute","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-attribute.cgi/net.shibboleth.idp.attribute.IdPAttribute"}}]},{"text":" to use:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"By running the \"full\" Attribute Resolver service (which has some special considerations noted below).","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"By pulling an ","type":"text"},{"text":"IdPAttribute","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-attribute.cgi/net.shibboleth.idp.attribute.IdPAttribute"}}]},{"text":" directly from an ","type":"text"},{"text":"IdPAttributePrincipal","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.authn.principal.IdPAttributePrincipal"}}]},{"text":" in the input ","type":"text"},{"text":"Subject","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/javax.security.auth.Subject"}}]},{"text":" (as mentioned above, this is normally useful when proxying authentication to another IdP). The “Subject” in this case does not refer directly to the Subject of a SAML assertion (e.g., during proxying), but to the Java “object” that represents the result of all authentications internally.","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"These methods can be combined, in the sense that the list of attributes to search for may be found in either way, so it's possible to run the resolver conditionally and/or check both the ","type":"text"},{"text":"Subject","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/javax.security.auth.Subject"}}]},{"text":" and the resolution results. In most cases this is an either/or situation and the resolver isn't meant to be used if you expect the data to be in the ","type":"text"},{"text":"Subject","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/javax.security.auth.Subject"}}]},{"text":" already.","type":"text"}]},{"type":"paragraph","content":[{"text":"When pulling directly, you will typically just supply a list of attributes to check for (first value wins), and set the ","type":"text"},{"text":"idp.c14n.attribute.resolutionCondition","type":"text","marks":[{"type":"strong"}]},{"text":" property to \"shibboleth.Conditions.FALSE\", to turn off the full attribute resolution step, and set the ","type":"text"},{"text":"idp.c14n.attribute.resolveFromSubject","type":"text","marks":[{"type":"strong"}]},{"text":" property to true.","type":"text"}]},{"type":"paragraph","content":[{"text":"When using the resolver, typically you will supply a list of attributes to resolve and a list of attributes to search for in the results. The first such attribute with a suitable value will supply the username to return.","type":"text"}]},{"type":"paragraph","content":[{"text":"By default, the only transform applied to the result is a trim of leading or trailing whitespace. Case-folding and regular expression replacements can be added, per the reference section below. The regular expression replacement feature is the only one remaining that still requires XML and you may define that bean, if needed, in ","type":"text"},{"text":"conf/c14n/subject-c14n.xml","type":"text","marks":[{"type":"em"}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Using the Attribute Resolver","type":"text"}]},{"type":"paragraph","content":[{"text":"When relying on the Attribute Resolver with this feature, there are some additional considerations of which to be aware.","type":"text"}]},{"type":"paragraph","content":[{"text":"The IdP will internally set the “resolution label” used by the resolver to a value equal to the c14n method’s bean ID (typically “c14n/attribute-sourced” or “c14n/attribute” depending on IdP version). This is the value testable with the ","type":"text"},{"text":"resolutionPhases","type":"text","marks":[{"type":"code"}]},{"text":" setting supported by AttributeDefinitions and DataConnectors for conditional use.","type":"text"}]},{"type":"paragraph","content":[{"text":"Usually, the attribute resolver relies on the canonical principal name to do its work (the value of the ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"$resolutionContext.principal","type":"text","marks":[{"type":"code"}]},{"text":" variable in scripts or search templates). By definition that isn't possible here (this is the process that ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"provides","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}},{"type":"em"}]},{"text":" that value later). However, the value of that variable in the resolver can be set by means of a function bean (e.g., using a script) named ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"shibboleth.c14n.attribute.PrincipalNameLookupStrategy","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}},{"type":"strong"}]},{"text":". In most cases this function would peek inside the Java ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"Subject","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}},{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/javax.security.auth.Subject"}}]},{"text":" being canonicalized and pull out custom bits of information.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]}]},{"type":"paragraph","content":[{"text":"The Java ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"Subject","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}},{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/javax.security.auth.Subject"}}]},{"text":" this flow is operating on can be accessed via an expression of the form:","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]}]},{"type":"codeBlock","attrs":{"language":"javascript"},"content":[{"text":"profileContext.ensureSubcontext(\"net.shibboleth.idp.authn.context.SubjectCanonicalizationContext\").getSubject()","type":"text"}]},{"type":"paragraph","content":[{"text":"While it would not be a typical case to need to access a value entered by a user except in one specific case noted below, that value will be present inside the ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"Subject","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}},{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/javax.security.auth.Subject"}}]},{"text":" as a principal object of type ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"net.shibboleth.idp.authn.principal.UsernamePrincipal","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.authn.principal.UsernamePrincipal"}}]},{"text":". In most other cases, it's simpler to just leave such a value ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"as","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}},{"type":"strong"}]},{"text":" the canonical principal name and adjust your resolver configuration to accomodate whatever that might be than to try and use the resolver ahead of time to turn it into some other value.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Enabling this Method","type":"text"}]},{"type":"expand","attrs":{"title":"V5.2+"},"content":[{"type":"paragraph","content":[{"text":"In V5.2+, this method is enabled by setting a per-login-flow property in ","type":"text"},{"text":"conf/authn/authn.properties","type":"text","marks":[{"type":"em"}]},{"text":" that references it. The default bean ID of this method is “c14n/attribute-sourced”, so enabling it for a login flow looks like:","type":"text"}]},{"type":"codeBlock","content":[{"text":"idp.authn.SAML.c14n.flows = c14n/attribute-sourced","type":"text"}]},{"type":"panel","attrs":{"panelType":"note"},"content":[{"type":"paragraph","content":[{"text":"A quick comment about the naming. Because of how the original method was configured in most systems, the enhancements in this version necessitated “forking” things and picking a new name for the built-in copy of the new implementation to avoid stomping on the older name. As such, “c14n/attribute” as defined in the older IdP’s default configuration will continue to work as it did before.","type":"text"}]},{"type":"paragraph","content":[{"text":"The actual implementation difference between them is that the older version runs a Spring Web Flow, and can only be used with a single configuration. The newer version is faster and can be duplicated with alternative settings (as shown next).","type":"text"}]}]},{"type":"paragraph","content":[{"text":"It is possible to configure two instances of this method at the same time with different settings. The default instance is configured with a set of global properties, so defining a second instance of it with different settings requires adding a bean to ","type":"text"},{"text":"conf/c14n/subject-c14n.xml","type":"text","marks":[{"type":"em"}]},{"text":". This bean can be defined at the top level of the file and needs a unique ID to reference in the login flow property example above. It does not have to carry the “c14n/” prefix but this is useful for clarity.","type":"text"}]},{"type":"paragraph","content":[{"text":"As an example, consider a case where the “standard” use of the method relies on the resolver to talk to a directory, but a secondary use of it is desired for the SAML proxy login method. While it is possible to do this as a single c14n setup, it can be safer and clearer to just separate them and add a second:","type":"text"}]},{"type":"codeBlock","content":[{"text":"","type":"text"}]},{"type":"paragraph","content":[{"text":"That then allows you to reference “c14n/proxy-attribute” in a login flow’s property as above.","type":"text"}]}]},{"type":"expand","attrs":{"title":"Older Versions and Pre-5.2 Plugins"},"content":[{"type":"paragraph","content":[{"text":"In older versions, this method is not enabled by default and is in the shipped file inside a comment:","type":"text"}]},{"type":"codeBlock","content":[{"text":" \n \n ","type":"text"}]},{"type":"paragraph","content":[{"text":"Enabling it thus requires uncommenting this bean and then setting the properties required as appropriate.","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Examples","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"MFA Example","type":"text"}]},{"type":"paragraph","content":[{"text":"One situation where this feature is frequently useful:","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"you need to use a Duo or other 2FA authentication plugin that would rely on the username entered by the user to send to the 2FA service","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"you want to allow the user to enter their username as one of several different identifiers when they do the initial password authentication","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]}]}]}]},{"type":"paragraph","content":[{"text":"In that case, the same user could end up having multiple different identifiers with the 2FA service, because whichever one they choose to enter at login would be the one sent. This can be addressed by using this c14n method so that you ensure the same user identifier is sent to the 2FA service every time.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]}]},{"type":"paragraph","content":[{"text":"The following example illustrates how one could do this, where one has chosen to allow the user to enter either the value of their uid or their e-mail address as the username. Changes need to be made to all of the following, and sample config highlights the changes to each that would enable such. (One would also need to configure your authn handler to allow for either input, such as changing ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"idp.authn.LDAP.userFilter","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}},{"type":"strong"}]},{"text":" to '(|(uid={user})(mail={user}))'.)","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"conf/attribute-resolver.xml","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}},{"type":"em"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"conf/c14n/subject-c14n.xml","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}},{"type":"em"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"conf/c14n/subject-c14n.properties","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}},{"type":"em"}]}]}]}]},{"type":"paragraph","content":[{"text":"The example takes the user's input name and supplies it to the attribute resolver to do a search of LDAP against the two possible candidate attributes and returns the ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"uid","type":"text","marks":[{"type":"code"}]},{"text":" attribute from the directory so that either input maps to a fixed output. There are other ways to configure the resolver that might be more aligned to other searches you need to perform, cache results, etc. but this illustrates the idea.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]}]},{"type":"heading","attrs":{"level":5},"content":[{"text":" attribute-resolver.xml","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"text":" \n \n \n \n \n uid\n ","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"subject-c14n.properties","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"plaintext"},"content":[{"text":"idp.c14n.attribute.attributesToResolve = uid\nidp.c14n.attribute.attributeSourceIds = uid","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":" subject-c14n.xml","type":"text","marks":[{"type":"strong"}]}]},{"type":"expand","attrs":{"title":"V5.2+"},"content":[{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":" \n\t\n \n \n \n \n \n ","type":"text"}]}]},{"type":"expand","attrs":{"title":"Older Versions"},"content":[{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":" ...\n \n \n ...\n \n \n\t\n \n \n \n \n \n ","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Reference","type":"text"}]},{"type":"expand","attrs":{"title":"Beans"},"content":[{"type":"table","attrs":{"layout":"full-width","localId":"f8357202-ceae-4436-9b7a-701d808c1888"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[481.0]},"content":[{"type":"paragraph","content":[{"text":"Bean ID","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[342.0]},"content":[{"type":"paragraph","content":[{"text":"Type","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[443.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[481.0]},"content":[{"type":"paragraph","content":[{"text":"c14n/attribute-sourced ","type":"text"},{"text":"5.2","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[342.0]},"content":[{"type":"paragraph","content":[{"text":"AttributeSourcedSubjectCanonicalization","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.authn.impl.AttributeSourcedSubjectCanonicalization"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[443.0]},"content":[{"type":"paragraph","content":[{"text":"Built-in instance of this method, auto-configured by properties and other beans as described. V5.2+ allows reuse of this bean as a parent to define additional instances of this method with different settings.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[481.0]},"content":[{"type":"paragraph","content":[{"text":"c14n/attribute","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[342.0]},"content":[{"type":"paragraph","content":[{"text":"SubjectCanonicalizationFlowDescriptor","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.authn.SubjectCanonicalizationFlowDescriptor"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[443.0]},"content":[{"type":"paragraph","content":[{"text":"Legacy definition of the original webflow-based version of this method, it was used “by example” as a commented bean in the original shipping default file","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[481.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.c14n.attribute.PrincipalNameLookupStrategy","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[342.0]},"content":[{"type":"paragraph","content":[{"text":"Function","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Function"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":",String>","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[443.0]},"content":[{"type":"paragraph","content":[{"text":"Provides a principal name value for the AttributeResolutionContext during attribute resolution (i.e., $resolutionContext.principal will be set)","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[481.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.c14n.attribute.Transforms","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[342.0]},"content":[{"type":"paragraph","content":[{"text":"Pair","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[443.0]},"content":[{"type":"paragraph","content":[{"text":"Pairs of regular expressions and replacement expressions to apply to the attribute-sourced username","type":"text"}]}]}]}]}]},{"type":"expand","attrs":{"title":"Properties"},"content":[{"type":"paragraph","content":[{"text":"The following properties are commented out in ","type":"text"},{"text":"conf/c14n/subject-c14n.properties","type":"text","marks":[{"type":"em"}]},{"text":":","type":"text"}]},{"type":"table","attrs":{"layout":"full-width","localId":"e7a7c6a4-36dc-4699-a0bd-770a5e40b937"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"Name / Type / Default","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[258.0]},"content":[{"type":"paragraph","content":[{"text":"Default","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[652.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"idp.c14n.attribute.attributesToResolve","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[258.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[652.0]},"content":[{"type":"paragraph","content":[{"text":"Comma-delimited list of attributes to resolve (an empty list directs the resolver to resolve everything it can)","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"idp.c14n.attribute.attributeSourceIds","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[258.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[652.0]},"content":[{"type":"paragraph","content":[{"text":"Comma-delimited list of attributes to search for in the results, looking for a ","type":"text"},{"text":"StringAttributeValue","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-attribute.cgi/net.shibboleth.idp.attribute.StringAttributeValue"}}]},{"text":" or ","type":"text"},{"text":"ScopedStringAttributeValue","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-attribute.cgi/net.shibboleth.idp.attribute.ScopedStringAttributeValue"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"idp.c14n.attribute.resolveFromSubject","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[258.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[652.0]},"content":[{"type":"paragraph","content":[{"text":"Whether to examine the input ","type":"text"},{"text":"Subject","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/javax.security.auth.Subject"}}]},{"text":" for ","type":"text"},{"text":"IdPAttributePrincipal","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.authn.principal.IdPAttributePrincipal"}}]},{"text":" objects to pull from directly, instead of from the output of the Attribute Resolver service","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"idp.c14n.attribute.resolutionCondition","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[258.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.Conditions.TRUE","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[652.0]},"content":[{"type":"paragraph","content":[{"text":"Bean ID of a ","type":"text"},{"text":"Predicate","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Predicate"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":"> to evaluate to determine whether to run the Attribute Resolver or go directly to the ","type":"text"},{"text":"Subject","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/javax.security.auth.Subject"}}]},{"text":" alone","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"idp.c14n.attribute.lowercase","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[258.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[652.0]},"content":[{"type":"paragraph","content":[{"text":"Whether to lowercase the username","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"idp.c14n.attribute.uppercase","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[258.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[652.0]},"content":[{"type":"paragraph","content":[{"text":"Whether to uppercase the username","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"idp.c14n.attribute.trim","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[258.0]},"content":[{"type":"paragraph","content":[{"text":"true","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[652.0]},"content":[{"type":"paragraph","content":[{"text":"Whether to trim leading and trailing whitespace from the username","type":"text"}]}]}]}]}]},{"type":"paragraph"}],"version":1}

Browser not supported