Transform SessionInitiator

Advanced Configuration

Note, this is an advanced configuration feature. Most deployments can rely on the <SSO> shorthand element.

Identified by type="Transform", this initiator transforms an entityID according to a set of permutations until IdP metadata can be found. No specific protocol support is assumed; the first entityID for which a valid <md:IDPSSODescriptor> can be found terminates the handler's activity.

This handler doesn't actually cause a response to the browser, but it generally runs first in a chain, and allows the entityID to be manipulated before other handlers run. It serves a variety of purposes, from transforming user input into an entity to acting as a kind of "redirect" mechanism that turns one entityID into another.

Attributes

Common Attributes

Specific Attributes

Name

Type

Default

Description

Name

Type

Default

Description

alwaysRun 

boolean

false

If false, the initial entityID value is looked up, and if metadata is found, the handler exits. Set to true to perform at least one transform on even valid entityID values.

Child Elements

Name

Cardinality

Description

Name

Cardinality

Description

<Subst>

0 or more

Simple transform whose element content consists of a string containing the substring "$entityID", into which the current entityID value is substituted. If the element contains a force attribute set to "true", the transform always takes effect. Otherwise the transform is only applied if metadata is found (which terminates the handler).

<Regex>

0 or more

Complex transform containing a match attribute containing a regular expression against which the current entityID value is applied, and whose element content contains a replacement expression to run based on the results of the match. Only numeric/positional group references (e.g. $1) are supported. If the element contains a force attribute set to "true", the transform always takes effect. Otherwise the transform is only applied if metadata is found (which terminates the handler).

Query String Parameters 

The following can be provided via the Initiator Protocol

Common Parameters

Specific Parameters

There are no protocol specific parameters

Example

The example tries a sequence of transforms that allows any of the following to be turned into an InCommon IdP name (currently a URN containing a domain name):

  • the domain name itself (e.g. osu.edu)

  • an email address from the domain (e.g. foo@osu.edu)

  • a subdomain of the domain (e.g. law.osu.edu)

<SessionInitiator type="Transform"> <Subst>urn:mace:incommon:$entityID</Subst> <Regex match=".+@(.+)">urn:mace:incommon:$1</Regex> <Regex match="^[^.]+\.(.+)">urn:mace:incommon:$1</Regex> </SessionInitiator>