{"type":"doc","content":[{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{"maxLevel":{"value":"3"},"_parentId":{"value":"1376879193"}},"macroMetadata":{"macroId":{"value":"4481edcb-c88e-466a-894c-1a87e3c22a0a"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"6bb9a144-6c2d-4a4f-afed-ff3491116aef"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Overview","type":"text"}]},{"type":"paragraph","content":[{"text":"OIDC claims are of course subject to identical behavior with regard to the ","type":"text"},{"text":"AttributeFilterConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"https://wiki.shibboleth.net/confluence/display/IDP4/AttributeFilterConfiguration"}}]},{"text":" since filtering operates on the internal ","type":"text"},{"text":"IdPAttribute","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.attribute.IdPAttribute"}}]},{"text":" objects prior to encoding into claims. There are however a couple of additional extensions supported that are specific to OIDC use cases and policy needs.","type":"text"}]},{"type":"paragraph","content":[{"text":"There is an example file supplied, ","type":"text"},{"text":"conf/examples/oidc-attribute-filter.xml,","type":"text","marks":[{"type":"em"}]},{"text":" with examples that may be helpful in adding to your own policies.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Configuration","type":"text"}]},{"type":"paragraph","content":[{"text":"Because these are extensions, their ","type":"text"},{"text":"xsi:type","type":"text","marks":[{"type":"code"}]},{"text":" definitions live in a separate XML namespace and schema (unfortunately an unavoidable callback to the days when multiple namespaces were required in configurations).","type":"text"}]},{"type":"paragraph","content":[{"text":"Namespace:","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text"},{"text":"urn:mace:shibboleth:2.0:afp:oidc","type":"text","marks":[{"type":"code"}]},{"type":"hardBreak"},{"text":"Schema:","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text"},{"text":"http://shibboleth.net/schema/oidc/shibboleth-afp-oidc.xsd","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/schema/oidc/shibboleth-afp-oidc.xsd"}}]}]},{"type":"paragraph","content":[{"text":"In order to use any of these extension types, the root element of the filter configuration file needs to be adjusted to declare a namespace prefix for the extension namespace and add in the schema location to address some fundamental XML bugs in Spring:","type":"text"}]},{"type":"codeBlock","content":[{"text":"","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"OIDCScope Policy Rule","type":"text"}]},{"type":"paragraph","content":[{"text":"One additional policy rule is provided, with ","type":"text"},{"text":"xsi:type=\"oidc:OIDCScope\"","type":"text","marks":[{"type":"code"}]},{"text":", which returns true if and only if any of the scope values in the OIDC authentication request matches a supplied string. By default, the scope requested must be a scope registered in the client's metadata. This can also be customised, see ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3001352203"}},{"text":" .","type":"text"}]},{"type":"paragraph","content":[{"text":"It supports the following XML Attributes:","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"51183391-7036-4b13-8e67-deea8f811f48"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[57.0]},"content":[{"type":"paragraph","content":[{"text":"Name","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[48.0]},"content":[{"type":"paragraph","content":[{"text":"Req?","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[67.0]},"content":[{"type":"paragraph","content":[{"text":"Type","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[588.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[57.0]},"content":[{"type":"paragraph","content":[{"text":"value","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[48.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"Y","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[67.0]},"content":[{"type":"paragraph","content":[{"text":"String","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[588.0]},"content":[{"type":"paragraph","content":[{"text":"The OAuth scope for which the policy applies","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Example","type":"text"}]},{"type":"paragraph","content":[{"text":"This example releases two mail-related claims to clients that are authorized to, and request, the \"email\" scope.","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":" \n \n \n \n \n \n \n \n ","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"AttributeInOIDCRequestedClaims Matcher","type":"text"}]},{"type":"paragraph","content":[{"text":"One additional matcher is provided, with ","type":"text"},{"text":"xsi:type=\"oidc:AttributeInOIDCRequestedClaims\"","type":"text","marks":[{"type":"code"}]},{"text":", which operates by comparing an IdPAttribute's values against the requested claims parameter of an OIDC authentication request. The default functionality filters out all attribute values that do not have a matching claim in the id token or userinfo sections of requested claims.","type":"text"}]},{"type":"paragraph","content":[{"text":"The translation between the requested claim name and the IdPAttribute id is based on the transcoding rule(s) that are configured, including automatically reversed rules constructed based on any ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" elements (this is how SAML mappings are constructed as well).","type":"text"}]},{"type":"paragraph","content":[{"text":"It supports the following optional XML Attributes:","type":"text"}]},{"type":"table","attrs":{"layout":"wide","localId":"6897a5e5-17e2-4d91-93d4-3ddcac385904"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[249.0]},"content":[{"type":"paragraph","content":[{"text":"Name","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[72.0]},"content":[{"type":"paragraph","content":[{"text":"Type","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[64.0]},"content":[{"type":"paragraph","content":[{"text":"Default","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[575.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[249.0]},"content":[{"type":"paragraph","content":[{"text":"matchIfRequestedClaimsSilent","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[72.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[64.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[575.0]},"content":[{"type":"paragraph","content":[{"text":"Releases values if the request did not specify any requested claims at all","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[249.0]},"content":[{"type":"paragraph","content":[{"text":"matchOnlyUserInfo","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[72.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[64.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[575.0]},"content":[{"type":"paragraph","content":[{"text":"Releases values only if the claim is requested for the UserInfo token","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[249.0]},"content":[{"type":"paragraph","content":[{"text":"matchOnlyIDToken","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[72.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[64.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[575.0]},"content":[{"type":"paragraph","content":[{"text":"Releases values only if the claim is requested for the ID token","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[249.0]},"content":[{"type":"paragraph","content":[{"text":"onlyIfEssential","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[72.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[64.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[575.0]},"content":[{"type":"paragraph","content":[{"text":"Releases values only if the claim is requested as \"essential\"","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Example","type":"text"}]},{"type":"paragraph","content":[{"text":"The example shows how to set up rules to release attributes specifically for clients that request them in various ways.","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":" \n \n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n","type":"text"}]},{"type":"paragraph"}],"version":1}

Browser not supported