CASAttributeTranscoderConfiguration
- Scott Cantor
Overview
A set of built-in transcoders supporting the CAS <cas:attribute> feature. Most of them support a common set of properties, documented below; a few other properties are defined for specific transcoder types. Since they largely all do the same thing in the same way, they're documented here together.
Common Properties
In addition to the generic properties, all CAS transcoders support the following optional properties:
Name | Type | Default | Description |
|---|---|---|---|
cas.name | String | When encoding, the input IdPAttribute's ID and when decoding, the "id" property in the rule | The |
cas.nameFromMetadata 5.1 | Boolean | false | Whether to check for a SAML metadata extension tag for naming rules |
Metadata-Based Naming 5.1
The transcoders also support an option to rely on SAML metadata extension tags to provide service-specific naming rules. This is an alternative to the use of the relyingParties approach of naming specific services in a rule to limit its use. This feature can be combined with “default” naming via a rule such that the metadata is checked for a per-service name in preference to the default in a rule, with the default applying in the absence of a tag value applying.
Note that this approach only works for encoding into a CAS response, and does not support the decoding side because the “source name” of a CAS Attribute would then not be known to the system independently of a specific service (the encoding direction works because the source name there is the internal attribute ID, which is required to be specified in the rule).
To use this feature, the rule must contain the cas.nameFromMetadata property set to true. The rule may or may not also contain the default cas.name property as a fallback.
If in use, all CAS transcoders will check for an extension Attribute/tag of the name “http://shibboleth.net/ns/attributes/naming/cas” whose values contain a space-delimited pair of the form “id name”. A tag may contain multiple values, but only the first value containing the matching attribute ID will be applied.
Whether this approach is better for you really depends on how you manage and curate metadata and your ability to extend it, which is increasingly the key to most effectively operating the Shibboleth software. (Obviously, many CAS deployments may not depend on the use of metadata in the first place.)
Transcoder Types
There are 3 built-in subtypes of CAS transcoders, as follows. Each one is predefined as a Spring bean for use in rules using the "short" name of the class, as enumerated in the TranscodingRuleConfiguration reference section.
CASStringAttributeTranscoder
The simplest and most commonly used transcoder, it supports encoding and decoding internal values from and to the StringAttributeValue class. It supports no additional properties.
CASScopedStringAttributeTranscoder
This type supports encoding and decoding internal values from and to the ScopedStringAttributeValue class. It supports the following optional property:
Name | Type | Default | Description |
|---|---|---|---|
cas.scopeDelimiter | String | @ | The character(s) to use to separate the value and scope |
CASDateTimeAttributeTranscoder
This type supports encoding and decoding internal values from and to the DateTimeAttributeValue class. It supports the following optional property:
Name | Type | Default | Description |
|---|---|---|---|
cas.epochUnits | “s” or “ms” | “s” | When decoding, indicates the unit of conversion into an epoch for a numeric string, either seconds or milliseconds. |