{"type":"doc","content":[{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{},"macroMetadata":{"macroId":{"value":"ff4914e1-51b7-41d9-91a6-af0a8900763e"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"cad3efe5-2243-4855-ab63-1a28bc86c20e"}},{"type":"paragraph","content":[{"text":"Identified by ","type":"text"},{"text":"type=\"AttributeChecker\"","type":"text","marks":[{"type":"code"}]},{"text":", this ","type":"text"},{"text":"handler","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/SP3/pages/2065334698"}}]},{"text":" validates a user's session against a list of required attributes (and optionally values) and either returns the user to complete the login process or displays an error template. The template is in the same form described by the ","type":"text"},{"text":"Errors","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/SP3/pages/2065334361"}}]},{"text":" topic, and also has access to the user's session, such that attributes in the session can be used via ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" tags.","type":"text"}]},{"type":"paragraph","content":[{"text":"This handler is designed to complement the ","type":"text"},{"text":"sessionHook","type":"text","marks":[{"type":"code"},{"type":"link","attrs":{"href":"/wiki/spaces/SP3/pages/2063695997"}}]},{"text":" setting by leveraging the hook to check for required attributes.","type":"text"}]},{"type":"paragraph","content":[{"text":"The attributes to check for can be specified in one of two ways:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"a list of attribute IDs via the ","type":"text"},{"text":"attributes","type":"text","marks":[{"type":"code"}]},{"text":" setting (see below)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"by embedding a valid ","type":"text"},{"text":"access control policy","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/SP3/pages/2065334887"}}]},{"text":" inside the element","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"The latter option allows arbitrary checking of the session against boolean combinations of attributes and values. For example, instead of requiring that all of a set of attributes be present, an ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" can be used.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Attributes","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Common Attributes","type":"text"}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"include","parameters":{"macroParams":{"":{"value":"HandlerCommonAttributes"}},"macroMetadata":{"macroId":{"value":"afba5c6f-5763-4ba2-9e23-9ebfc70bbed9"},"schemaVersion":{"value":"1"},"title":"Include Page"}},"localId":"a6e51407-9efd-4bb3-ab20-dcb4f561dd24"}},{"type":"heading","attrs":{"level":4},"content":[{"text":"Specific Attributes","type":"text"}]},{"type":"table","attrs":{"layout":"wide","localId":"04b59ee4-165c-48b2-9ccc-5c7a32e6bf50"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[70.0]},"content":[{"type":"paragraph","content":[{"text":"Name","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[161.0]},"content":[{"type":"paragraph","content":[{"text":"Type","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[71.0]},"content":[{"type":"paragraph","content":[{"text":"Default","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[458.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[70.0]},"content":[{"type":"paragraph","content":[{"text":"template","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[161.0]},"content":[{"type":"paragraph","content":[{"text":"local pathname","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[71.0]},"content":[{"type":"paragraph","content":[{"text":"Required","type":"text","marks":[{"type":"em"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[458.0]},"content":[{"type":"paragraph","content":[{"text":"Required attribute specifying the path to an error template to use in the event that checking fails.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[70.0]},"content":[{"type":"paragraph","content":[{"text":"flushSession","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[161.0]},"content":[{"type":"paragraph","content":[{"text":"boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[71.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[458.0]},"content":[{"type":"paragraph","content":[{"text":"If true, the user's session is forcibly removed if the session fails the check.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[70.0]},"content":[{"type":"paragraph","content":[{"text":"attributes","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[161.0]},"content":[{"type":"paragraph","content":[{"text":"whitespace-delimited list of attribute IDs","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[71.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[458.0]},"content":[{"type":"paragraph","content":[{"text":"Specifies a list of attributes to look for. If the session does not contain at least one value for each attribute designated, the session \"fails\" the check.","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Child Elements","type":"text"}]},{"type":"paragraph","content":[{"text":"And valid child element of an ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"},{"type":"link","attrs":{"href":"/wiki/spaces/SP3/pages/2065334887"}}]},{"text":" Element","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Examples","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Typical Examples","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Extended Syntax","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n jdoe@example.edu\n \n \n","type":"text"}]},{"type":"paragraph","content":[{"text":"One example approach how to use the Attribute Checker Handler to mitigate the case where an IdP released too few attributes to an SP is shown in the ","type":"text"},{"text":"eduGAIN Wiki","type":"text","marks":[{"type":"link","attrs":{"href":"https://wiki.geant.org/display/eduGAIN/"}}]},{"text":" on the page ","type":"text"},{"text":"How to configure Shibboleth SP attribute checker","type":"text","marks":[{"type":"link","attrs":{"href":"https://wiki.geant.org/display/eduGAIN/How+to+set+up+a+Service+Provider+for+eduGAIN"}}]},{"text":". Following the instructions there, a Shibboleth SP will show a helpful error message and provide the user with an easy way (2 clicks) to inform his IdP administrator regarding the attribute release problem. Also, the approach described on the wiki page makes use of a tracking cookie to log (locally or remotely) cases where users ended up on the error page.","type":"text"}]}],"version":1}