The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.

FilterTemplate

The <QueryTemplate> element provides the template from which the LDAP search filter will be built.

Schema Name and Location

This element is defined by the urn:mace:shibboleth:2.0:resolver schema, which is located at http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd.

Typically the XML "CDATA" construct is used to wrap the text because it avoids the need for special escaping of most characters.

Examples

Using Principal Name
<FilterTemplate>
  <![CDATA[
          (uid=$resolutionContext.principal)
  ]]>
</FilterTemplate>
Using a Dependent Attribute
<FilterTemplate>
  <![CDATA[
          (uid=$employeeNumber.get(0))
  ]]>
</FilterTemplate>

Attributes

No attributes are defined.

Child Elements

No child elements are defined.

Template Context

As described below, several variables are available to the template context. In practice $resolutionContext.Principal and $attributeName will be useful.

NameWhen ValidDescription

resolutionContext

alwaysThe AttributeResolutionContext. Useful members include $resolutionContext.principal, $resolutionContext.attributeRecipientID and $resolutionContext.principalAuthenticationMethod

requestContext

The springResource attribute is not defined on the containing LDAPConnectorThe legacy V2SAMLProfileRequestContext, provided for compatibility with most legacy query templates

foo, bar, etc.

Whenever the enclosing element has a dependency (attribute or data connector)For each IdPAttribute available from all the provided dependencies, the attributes' values are available via the attribute's name. If the attribute only has a single value and you do not want the array characters '[' and ']' as part of your filter you can use AttributeName.get(0) to get that value.