type="AttributeResolver", this handler implements a loopback query-based protocol to invoke the SP's AttributeResolver machinery in a manner similar to the resolvertest utility/example, and provides JSON-based output. In comparison to the resolvertest binary, this plugin is a lot faster because it does not have to load the whole configuration (including metadata download etc.) and it can be queried via a web request.
.To use this plugin, the plugins.so shared library must be loaded via the
<Library> element. Also the plugins-lite.so shared library must be loaded via the
This handler SHOULD NOT be exposed to any untrusted network interfaces and addresses or you will potentially expose user information to an untrusted requester. There is no security implemented in addition to the acl (access control list) option on this interface and it is designed for local use only.
The resolution process behaves as though an assertion containing a subject identifier (e.g. a persistentID) was received from the entity identified by the various parameters, and then performs a call to the resolver equivalent to what would be performed if no attributes were initially received. Suitably manipulated, this makes it possible to generate arbitrary attribute queries to systems for which metadata is available. One use case is to retrieve user attributes from a user's Identity Provider without the user's involvement, provided the SP has for example the users persistentID Name ID.
The output is currently limited to JSON, and is either dumped in a structure containing an array field named for each attribute, with each value serialized to its own own array slot, or is encoded in a way that combines multiple values into delimited strings identical to what would appear in server variables or headers. The latter is enabled by setting the
encoding parameter to "JSON/CGI".
The following attributes are available on all handlers
Plugin type name.
Path used to invoke handler (when appended to the base
space-delimited list of IP addresses (V4/V6) or CIDR statement
A set of requesting addresses to limit access to.
Query String Parameter
The following parameters may be supplied either in fixed form inside the XML, or as query string parameters:
The SAML NameIdentifier/NameID value to supply in any queries issued.
The SAML Nameidentifier/NameID Format to use.
|URI||entityID parameter if supplied||The SAML NameIdentifier/NameID NameQualifier to set.|
|URI||The SP's Entity ID||The SAML NameID SPNameQualifier to set.|
|protocol||protocol URI or|
SAML2.0 SAML1.1 SAML1.0
|Protocol support constant used during any metadata lookups.|
The "issuing" entity for the purposes of looking up SAML metadata for input to the resolution process.
|see notes above|
$ curl --insecure --get "https://localhost/Shibboleth.sso/AttributeResolver" \
--data-urlencode "format=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" \
--data-urlencode "entityID=https://your.idp.example.org/idp/shibboleth" \
"displayName" : [
"mail" : [
"schacHomeOrganization" : [
"persistent-id" : [
"idp" : [