The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.


Attribute Definition Examples

The following examples are simply that, examples. They do not illustrate all possible configuration properties or features. Refer to the documentation for defining and release new attribute for this information.

Send email Address to Google as Name Identifier

Contributed by: Chad La Joie, SWITCH, Switzerland

The following example demonstrates pulling an email address from an LDAP directory, encoding it as a name identifier, and releasing it to Google for use with their Google App products.

   Attribute definition that expects to get the 'email' attribute from the ldap connector
   defined as its dependency and encode it as a SAML 2 name identifier.
<resolver:AttributeDefinition xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"

       The data connector expected to provide the source attribute, email.  Note how the
       value of the 'ref' attribute is the identifier given to the LDAP data connector.
    <resolver:Dependency ref="ldap" />

    <!-- Encoder that transforms the attribute into a SAML2 NameID -->
    <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                               nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />


<!-- An LDAP connector that pulls in, at least, an attribute called email. -->
<resolver:DataConnector xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"


       Trigger this policy just for Google.  Note, Google uses an entity ID that is not
       standard compliant.  If you're doing this for other services the value should be
       either a URN or URL.
    <PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="" />

       Release any value of the attribute defined to carry the Google App user identifier.
       Note how the value of 'attributeID' matches the ID of the attribute generated by the
       simple attribute definition in the resolver configuration.
    <AttributeRule attributeID="googleNameID">
        <PermitValueRule xsi:type="basic:ANY" />


    NOTE: Google appears to require that *only* the name identifier be returned to them.
    If you return additional attributes by default, you may need to specifically exclude
    Google, or it may fail. E.g., an AttributeFilterPolicy that releases the transientId
    to everyone would be specified as
<AttributeFilterPolicy id="releaseTransientIdToAnyone">
       Do not release transientId to Google
    <PolicyRequirementRule xsi:type="basic:NOT">
        <basic:Rule xsi:type="basic:AttributeRequesterString" value="" />

    <AttributeRule attributeID="transientId">
        <PermitValueRule xsi:type="basic:ANY" />