Attribute Resolver Handler
- Rod Widdowson
- Scott Cantor
- Former user (Deleted)
- Takeshi Nishimura
Identified by type="AttributeResolver", this handler implements a loopback query-based protocol to invoke the SP's AttributeResolver machinery in a manner similar to the resolvertest utility/example, and provides JSON-based output. In comparison to the resolvertest binary, this plugin is a lot faster because it does not have to load the whole configuration (including metadata download etc.) and it can be queried via a web request.
.To use this plugin, the plugins.so shared library must be loaded via the <OutOfProcess> element's <Library> element. Also the plugins-lite.so shared library must be loaded via the <InProcess> element's.
This handler SHOULD NOT be exposed to any untrusted network interfaces and addresses or you will potentially expose user information to an untrusted requester. There is no security implemented in addition to the acl (access control list) option on this interface and it is designed for local use only.
The resolution process behaves as though an assertion containing a subject identifier (e.g. a persistentID) was received from the entity identified by the various parameters, and then performs a call to the resolver equivalent to what would be performed if no attributes were initially received. Suitably manipulated, this makes it possible to generate arbitrary attribute queries to systems for which metadata is available. One use case is to retrieve user attributes from a user's Identity Provider without the user's involvement, provided the SP has for example the users persistentID Name ID.
The output is currently limited to JSON, and is either dumped in a structure containing an array field named for each attribute, with each value serialized to its own own array slot, or is encoded in a way that combines multiple values into delimited strings identical to what would appear in server variables or headers. The latter is enabled by setting the encoding parameter to "JSON/CGI".
Attributes
Common Attributes
Specific Attributes
Name | Type | Default | Description |
|---|---|---|---|
acl | space-delimited list of IP addresses (V4/V6) or CIDR statement | localhost only | A set of requesting addresses to limit access to. |
Query String Parameter
The following parameters may be supplied either in fixed form inside the XML, or as query string parameters:
Name | Type | Default | Description |
|---|---|---|---|
nameId | string | Required | The SAML NameIdentifier/NameID value to supply in any queries issued. |
format | URI |
| The SAML Nameidentifier/NameID Format to use. |
nameQualifier | URI | entityID parameter if supplied | The SAML NameIdentifier/NameID NameQualifier to set. |
spNameQualifier | URI | The SP's Entity ID | The SAML NameID SPNameQualifier to set. |
omitQualifiers 3.5 | boolean | false | If true, will omit the name qualifier attributes from the NameID element |
protocol | protocol URI or “SAML2.0”, “SAML1.1”, “SAML1.0” | SAML2.0 | Protocol support constant used during any metadata lookups. |
entityID | URI | The "issuing" entity for the purposes of looking up SAML metadata for input to the resolution process. | |
encoding | JSON or JSON/CGI | JSON | see notes above |
Example
Example Request
$ curl --insecure --get "https://localhost/Shibboleth.sso/AttributeResolver" \
--data-urlencode "format=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" \
--data-urlencode "entityID=https://your.idp.example.org/idp/shibboleth" \
--data-urlencode "nameId=123456789PfvsH8k4gvHoeq6QtM="Example result
{
"displayName" : [
"Lukas Hämmerle"
],
"mail" : [
"lukas.haemmerle@switch.ch"
],
"schacHomeOrganization" : [
"switch.ch"
],
"persistent-id" : [
"https://your.idp.example.org/idp/shibboleth!https://test.sp.example.org/shibboleth!123456789PfvsH8k4gvHoeq6QtM="
],
"idp" : [
"https://your.idp.example.org/idp/shibboleth"
]
}