EntityAttributesDataConnector

Owned by Scott Cantor
Last updated: Nov 13, 2023
1 min read

Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd

Overview

The EntityAttributes data connector allows one to expose decoded SAML Attributes found in a peer’s metadata in an <EntityAttributes> extension.

Note that only decoded tags are extracted by this connector, not the underlying SAML Attributes. By default, the IdP will decode any tags it finds provided they are expressed with the NameFormat of "urn:oasis:names:tc:SAML:2.0:attrname-format:URI" and produce IdPAttributes with the URI name as the attribute’s ID, which while unusual looking, are allowed.

You may also define your own decoding rules for tags, via the https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199510514, which has the additional ability of controlling the attribute ID used.

By default, the source of metadata used is the peer metadata found in the inbound message context, which is generally the logical choice to use. It is possible in unusual cases to override this lookup strategy (see reference).

Reference

Name

Type

Description

Name

Type

Description

metadataContextStrategyRef

Bean ID

Bean ID of a Function<ProfileRequestContext,SAMLMetadataContext> to locate the metadata to pull from

 

None of the common elements typical of DataConnectorConfiguration are supported, as this connector has neither dependencies nor failover (since it cannot fail in ordinary usage).

Example

Example of EntityAttributes DataConnector

In this example, the default-decoded entity category tag is exposed as an IdPAttribute named “http://macedir.org/entity-category".

<DataConnector id="entityAttributes" xsi:type="EntityAttributes" exportAttributes="http://macedir.org/entity-category">