Atlassian uses cookies to improve your browsing experience, perform analytics and research, and conduct advertising. Accept all cookies to indicate that you agree to our use of cookies on your device. Atlassian cookies and tracking notice, (opens new window)
The EntityAttributes data connector allows one to expose decoded SAML Attributes found in a peer’s metadata in an <EntityAttributes> extension.
Note that only decoded tags are extracted by this connector, not the underlying SAML Attributes. By default, the IdP will decode any tags it finds provided they are expressed with the NameFormat of "urn:oasis:names:tc:SAML:2.0:attrname-format:URI" and produce IdPAttributes with the URI name as the attribute’s ID, which while unusual looking, are allowed.
You may also define your own decoding rules for tags, via the AttributeRegistryConfigurationPreview, which has the additional ability of controlling the attribute ID used.
By default, the source of metadata used is the peer metadata found in the inbound message context, which is generally the logical choice to use. It is possible in unusual cases to override this lookup strategy (see reference).
Reference
Name
Type
Description
Name
Type
Description
metadataContextStrategyRef
Bean ID
Bean ID of a Function<ProfileRequestContext,SAMLMetadataContext> to locate the metadata to pull from
Name
Type
Default
Description
Name
Type
Default
Description
id
String
Identifier for the DataConnector. This is used for logging, to establish dependencies, and as a target for failover.
Bean ID of a condition to decide whether to resolve this connector, see here. Mutually exclusive with relyingParties and resolutionPhases and variants
relyingParties
Space-delimited list
List of entity IDs for which this connector should be resolved. Mutually exclusive with activationConditionRef
excludeRelyingParties
Space-delimited list
List of entity IDs for which this connector should not be resolved. Mutually exclusive with activationConditionRef
resolutionPhases
Space-delimited list
List of resolution phases (i.e. flows) during which this connector should be resolved. Mutually exclusive with activationConditionRef
excludeResolutionPhases
Space-delimited list
List of resolution phases (i.e. flows) during which this connector should not be resolved. Mutually exclusive with activationConditionRef
exportAttributes
Space-delimited list
List of attributes produced by the DataConnector that should be directly exported as resolved IdPAttributes without requiring actual AttributeDefinitions.
In the case of a name clash (a DataConnector exports an attribute with the same name as an AttributeDefinition, or another DataConnector exports the same attribute) the DataConnector attribute is NOT added and a warning issued.
noRetryDelay
Duration
0
Time between retries of a failed DataConnector (during the interval, failure is just assumed when the connector is run and no actual connection is attempted)
propagateResolutionExceptions
Boolean
true
Whether connector/plugin failure is fatal to the entire attribute resolution process. If this is set to false the error is logged and the data connector returns no attributes.
None of the common elements typical of DataConnectorConfiguration are supported, as this connector has neither dependencies nor failover (since it cannot fail in ordinary usage).
Example
Example of EntityAttributes DataConnector
In this example, the default-decoded entity category tag is exposed as an IdPAttribute named “http://macedir.org/entity-category".