AttributeExtractor

Overview

The <AttributeExtractor> element configures the component used by the SP to turn SAML content into "attributes", the internal/neutral representation of information stored within user sessions. With the exception of a few built-in data elements associated with each session, most of the data an application is able to access about a session is made up of the internal attributes that are produced by using one or more attribute extractors.

The SP generally invokes the extraction step following the acceptance of assertions during SSO and as a result of secondary attribute resolution from SAML-based sources such as an Attribute Authority. Extraction is generally followed by a filtering step that can apply rules over what attributes or values to accept.

In general, extractors can be handed many different XML element types and are free to process them or ignore them as their implementation or configuration dictates.

Like most plugins, the type attribute determines which type of plugin to use. Each type supports its own attributes and child elements.

Types

type

Description

type

Description

XML

The main type used by most deployments, implements an XML-based rule syntax for decoding SAML attributes and name identifiers into internal attributes

KeyDescriptor

Exposes the signing/TLS or encryption keys advertised in an IdP's metadata as attributes

Delegation

Exposes content from within a SAML DelegationRestriction condition as attributes

Assertion

Exposes specific "built-in" content from within a SAML assertion as attributes

Metadata

Exposes specific "built-in" content from within SAML metadata as attributes

GSSAPI

Implements an XML-based rule syntax for decoding GSS-API naming extensions into internal attributes

Reference

Common Attributes

All <AttributeExtractor> plugins support the following attributes:

Name

Type

Req?

Description

Name

Type

Req?

Description

type

string

Y

Specifies the type of AttributeExtractor plugin to use