Attribute Resolver Handler

Identified by type="AttributeResolver", this handler implements a loopback query-based protocol to invoke the SP's AttributeResolver machinery in a manner similar to the resolvertest utility/example, and provides JSON-based output. In comparison to the resolvertest binary, this plugin is a lot faster because it does not have to load the whole configuration (including metadata download etc.) and it can be queried via a web request.

.To use this plugin, the plugins.so shared library must be loaded via the <OutOfProcess> element's <Library> element. Also the plugins-lite.so shared library must be loaded via the <InProcess> element's.

This handler SHOULD NOT be exposed to any untrusted network interfaces and addresses or you will potentially expose user information to an untrusted requester. There is no security implemented in addition to the acl (access control list) option on this interface and it is designed for local use only.

The resolution process behaves as though an assertion containing a subject identifier (e.g. a persistentID) was received from the entity identified by the various parameters, and then performs a call to the resolver equivalent to what would be performed if no attributes were initially received. Suitably manipulated, this makes it possible to generate arbitrary attribute queries to systems for which metadata is available. One use case is to retrieve user attributes from a user's Identity Provider without the user's involvement, provided the SP has for example the users persistentID Name ID.

The output is currently limited to JSON, and is either dumped in a structure containing an array field named for each attribute, with each value serialized to its own own array slot, or is encoded in a way that combines multiple values into delimited strings identical to what would appear in server variables or headers. The latter is enabled by setting the encoding parameter to "JSON/CGI".

Attributes

Common Attributes

The following attributes are available on all handlers.

Name

Type

Default

Description

type

string

Required

Plugin type name.

Location
relative pathRequired

Path used to invoke handler (when appended to the base handlerURL).

Specific Attributes

Name

Type

Default

Description

acl

space-delimited list of IP addresses (V4/V6) or CIDR statement

localhost only

A set of requesting addresses to limit access to.

Query String Parameter

The following parameters may be supplied either in fixed form inside the XML, or as query string parameters:

Name

Type

Default

Description

nameId 

string

Required

The SAML NameIdentifier/NameID value to supply in any queries issued.

formatURI

The SAML Nameidentifier/NameID Format to use.

nameQualifierURIentityID parameter if suppliedThe SAML NameIdentifier/NameID NameQualifier to set.
spNameQualifierURIThe SP's Entity IDThe SAML NameID SPNameQualifier to set.
protocolprotocol URI or SAML2.0 SAML1.1 SAML1.0SAML2.0Protocol support constant used during any metadata lookups.
entityIDURI

The "issuing" entity for the purposes of looking up SAML metadata for input to the resolution process.

encoding

JSON or
JSON/CGI

JSONsee notes above

Example

Example Request
$ curl --insecure --get "https://localhost/Shibboleth.sso/AttributeResolver" \
  --data-urlencode "format=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" \
  --data-urlencode "entityID=https://your.idp.example.org/idp/shibboleth" \
  --data-urlencode "nameId=123456789PfvsH8k4gvHoeq6QtM="
Example result
{
    "displayName" : [

        "Lukas Hämmerle"
    ],
    "mail" : [

        "lukas.haemmerle@switch.ch"
    ],
    "schacHomeOrganization" : [

        "switch.ch"
    ],
    "persistent-id" : [

        "https://your.idp.example.org/idp/shibboleth!https://test.sp.example.org/shibboleth!123456789PfvsH8k4gvHoeq6QtM="
    ],
    "idp" : [

        "https://your.idp.example.org/idp/shibboleth"
    ]
}