AttributeResolver

Overview

The <AttributeResolver> element configures components that can be enabled to obtain additional attributes about the logged-in user following a SSO event, as well as transforming or creating new attributes internally.

During SSO, the IdP can (and generally does) supply attributes in a "push" fashion inside the SAML assertions it issues. These attributes are decoded with an AttributeExtractor and cached with the user's session. The purpose of a resolver plugin is to "pull" attributes from additional sources or to transform existing attributes in some way.

Like most plugins, the type attribute determines which type of plugin to use. Each type supports its own attributes and child elements.

Types

type

Description

type

Description

Query

Issues a SAML AttributeQuery to the originating IdP to obtain attributes when they are omitted from the original assertion

SimpleAggregation

Issues one or more SAML Attribute Queries to third-party Attribute Authorities independent of the originating IdP using identifier(s) obtained during SSO

Transform

Applies one or more regular expressions to an input attribute, either replacing its values, or generating new attribute(s)

Template

Plugs values from one or more existing attributes into a template string that can combine the original attributes into a new attribute

UpperCase

Converts the values of an attribute into upper case, either replacing its values, or generating a new attribute

LowerCase

Converts the values of an attribute into lower case, either replacing its values, or generating a new attribute

Reference

Common Attributes

All <AttributeResolver> plugins support the following attributes:

Name

Type

Req?

Description

Name

Type

Req?

Description

type

string

Y

Specifies the type of AttributeResolver plugin to use