Attribute Resolver Handler

1 Attributes
- 1.1 Common Attributes
- 1.2 Specific Attributes
2 Query String Parameter
3 Example
- 3.1 Example Request
- 3.2 Example result

Identified by type="AttributeResolver", this handler implements a loopback query-based protocol to invoke the SP's AttributeResolver machinery in a manner similar to the resolvertest utility/example, and provides JSON-based output. In comparison to the resolvertest binary, this plugin is a lot faster because it does not have to load the whole configuration (including metadata download etc.) and it can be queried via a web request.

.To use this plugin, the plugins.so shared library must be loaded via the <OutOfProcess> element's <Library> element. Also the plugins-lite.so shared library must be loaded via the <InProcess> element's.

This handler SHOULD NOT be exposed to any untrusted network interfaces and addresses or you will potentially expose user information to an untrusted requester. There is no security implemented in addition to the acl (access control list) option on this interface and it is designed for local use only.

The resolution process behaves as though an assertion containing a subject identifier (e.g. a persistentID) was received from the entity identified by the various parameters, and then performs a call to the resolver equivalent to what would be performed if no attributes were initially received. Suitably manipulated, this makes it possible to generate arbitrary attribute queries to systems for which metadata is available. One use case is to retrieve user attributes from a user's Identity Provider without the user's involvement, provided the SP has for example the users persistentID Name ID.

The output is currently limited to JSON, and is either dumped in a structure containing an array field named for each attribute, with each value serialized to its own own array slot, or is encoded in a way that combines multiple values into delimited strings identical to what would appear in server variables or headers. The latter is enabled by setting the encoding parameter to "JSON/CGI".

Attributes

Common Attributes

Specific Attributes

Name	Type	Default	Description

Name	Type	Default	Description
acl	space-delimited list of IP addresses (V4/V6) or CIDR statement	localhost only	A set of requesting addresses to limit access to.

Query String Parameter

The following parameters may be supplied either in fixed form inside the XML, or as query string parameters:

Name	Type	Default	Description

Name	Type	Default	Description
nameId	string	Required	The SAML NameIdentifier/NameID value to supply in any queries issued.
format	URI		The SAML Nameidentifier/NameID Format to use.
nameQualifier	URI	entityID parameter if supplied	The SAML NameIdentifier/NameID NameQualifier to set.
spNameQualifier	URI	The SP's Entity ID	The SAML NameID SPNameQualifier to set.
omitQualifiers ^3.5	boolean	false	If true, will omit the name qualifier attributes from the NameID element
protocol	protocol URI or “SAML2.0”, “SAML1.1”, “SAML1.0”	SAML2.0	Protocol support constant used during any metadata lookups.
entityID	URI		The "issuing" entity for the purposes of looking up SAML metadata for input to the resolution process.
encoding	JSON or JSON/CGI	JSON	see notes above

Example

Example Request

$ curl --insecure --get "https://localhost/Shibboleth.sso/AttributeResolver" \
  --data-urlencode "format=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" \
  --data-urlencode "entityID=https://your.idp.example.org/idp/shibboleth" \
  --data-urlencode "nameId=123456789PfvsH8k4gvHoeq6QtM="

Example result

{
    "displayName" : [

        "Lukas Hämmerle"
    ],
    "mail" : [

        "lukas.haemmerle@switch.ch"
    ],
    "schacHomeOrganization" : [

        "switch.ch"
    ],
    "persistent-id" : [

        "https://your.idp.example.org/idp/shibboleth!https://test.sp.example.org/shibboleth!123456789PfvsH8k4gvHoeq6QtM="
    ],
    "idp" : [

        "https://your.idp.example.org/idp/shibboleth"
    ]
}