The <AttributeResolver> element configures components that can be enabled to obtain additional attributes about the logged-in user following a SSO event, as well as transforming or creating new attributes internally.

During SSO, the IdP can (and generally does) supply attributes in a "push" fashion inside the SAML assertions it issues. These attributes are decoded with an AttributeExtractor and cached with the user's session. The purpose of a resolver plugin is to "pull" attributes from additional sources or to transform existing attributes in some way.

Like most plugins, the type attribute determines which type of plugin to use. Each type supports its own attributes and child elements.


QueryIssues a SAML AttributeQuery to the originating IdP to obtain attributes when they are omitted from the original assertion

Issues one or more SAML Attribute Queries to third-party Attribute Authorities independent of the originating IdP using identifier(s) obtained during SSO

TransformApplies one or more regular expressions to an input attribute, either replacing its values, or generating new attribute(s)
TemplatePlugs values from one or more existing attributes into a template string that can combine the original attributes into a new attribute
UpperCaseConverts the values of an attribute into upper case, either replacing its values, or generating a new attribute
LowerCaseConverts the values of an attribute into lower case, either replacing its values, or generating a new attribute


Common Attributes

All <AttributeResolver> plugins support the following attributes:




Specifies the type of AttributeResolver plugin to use