CASAttributeTranscoderConfiguration
Overview
A set of built-in transcoders supporting the CAS <cas:attribute>
feature. Most of them support a common set of properties, documented below; a few other properties are defined for specific transcoder types. Since they largely all do the same thing in the same way, they're documented here together.
Common Properties
In addition to the generic properties, all CAS transcoders support the following optional properties:
Name | Type | Default | Description |
---|---|---|---|
cas.name | String | When encoding, the input IdPAttribute's ID and when decoding, the "id" property in the rule | The |
cas.nameFromMetadata 5.1 | Boolean | false | Whether to check for a SAML metadata extension tag for naming rules |
Metadata-Based Naming 5.1
The transcoders also support an option to rely on SAML metadata extension tags to provide service-specific naming rules. This is an alternative to the use of the relyingParties approach of naming specific services in a rule to limit its use. This feature can be combined with “default” naming via a rule such that the metadata is checked for a per-service name in preference to the default in a rule, with the default applying in the absence of a tag value applying.
Note that this approach only works for encoding into a CAS response, and does not support the decoding side because the “source name” of a CAS Attribute would then not be known to the system independently of a specific service (the encoding direction works because the source name there is the internal attribute ID, which is required to be specified in the rule).
To use this feature, the rule must contain the cas.nameFromMetadata property set to true. The rule may or may not also contain the default cas.name property as a fallback.
If in use, all CAS transcoders will check for an extension Attribute/tag of the name “http://shibboleth.net/ns/attributes/naming/cas” whose values contain a space-delimited pair of the form “id name”. A tag may contain multiple values, but only the first value containing the matching attribute ID will be applied.
Whether this approach is better for you really depends on how you manage and curate metadata and your ability to extend it, which is increasingly the key to most effectively