The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

SimpleAttributeDefinition

Owned by Scott Cantor
Last updated: Mar 04, 2007Version comment
1 min read

Configuring a Simple Attribute Definition

This simple plugin passes attribute values recieved from a data connector through so that they are made available to the Attribute Release Policy engine, which in turn may release them to the service provider.

Attribute Definition Basics

All attribute definitions are configured in the IdP's resolver.xml file.

Basic Attributes

Each attribute definition supports the following basic XML attributes in their definition:

  • id - (required) used by the definition to determine its source, or input, attribute and by other definitions and data connectors to refer to this definition
  • sourceName - (optional) used to explicitly specify the name of the source, or input, attribute used by the definition

Source Attributes

Most attribute definitions transform other attributes. A definition will determine the name of its source attribute in the following way:

  1. If sourceName is present use an attribute whose name exactly matches the given source name
  2. Use an attribute whose name exactly matches the definitions id
  3. Use an attribute whose name exactly matches the last token of the definitions id split on / or :

Configuring the Definition

In the basic configuration this definition assumes that the attribute from the connector is named exactly the name given in the id attribute or, if the name contains a #, :, or /, the substring consisting of the first character after the final delimeter to the end of the string.

  1. Create a SimpleAttributeDefinition element with its id attribute, whose value is the name of the attribute to be released

Example Configuration

Assumes an attribute from at least on connector named "memberOf"

<SimpleAttributeDefinition id="memberOf" />

Assumes an attribute from a connectrom named "eduPersonAffiliation"

<SimpleAttribtueDefinition id="urn:mace:dir:attribute-def:eduPersonAffiliation" />

Advanced Configurations

The following, more advanced, attributes may be added to a SimpleAttributeDefinition element:

  • sourceName - used to specify the exact name of the source attribute instead of using the convetion described above
  • allowEmpty - whether to allow the attribute to have an emptry string as a value; acceptable values: true or false
  • smartScope - a scope to be appended to an attribute value if that value does not already contain one

Example Configuration

This example maps the attribute "guPersonAffiliation" to "urn:mace:dir:attribute-def:eduPersonAffiliation". This is good for renaming attributes.

<SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonAffiliation"
									sourceName="guPersonAffiliation" />

This example shows how to create an eduPersonScopedAffiliation attribute given a eduPersonAffiliation

<SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonScopeAffiliation"
									sourceName="urn:mace:dir:attribute-def:eduPersonAffiliation"
									smartScope="georgetown.edu">
	<AttributeDependency requires="urn:mace:dir:attribute-def:eduPersonAffiliation" />
</SimpleAttributeDefinition>

Attribute Definition Dependencies

In order to use attributes from data connectors or other definitions you need to make sure those dependencies are resolved before this definition is called.

If your definition depends on a data connector create a child element, of the main definition element, called DataConnectorDependency and give it an attribute of requires whose value is the id of the data connector this definition depends on.

If your definition depends on another definition create a child element, of the main definition element, called AttributeDependency and give it an attribute of requires whose value is the id of the definition this definition depends on.

Error Propagation

Not every attribute definition may, or need, work for every user in the system. However, the definition may emit an error if it is unable to find any entries for the user or if it depends on another data connector or definition that didn't apply to the current user.

To suppress these errors, so that they don't stop the attribute lookup process, add the follow attribute and value to the main definition element:

  • propagateErrors - with a value of false

Data Caching

Attribute definitions cache their information for the length of one attribute request; until all data connectors and definitions have been evaluated and their information retrieved. You may optionally have the definition cache its data for a fixed period of time. This can increase performance but will result in a lead time for frequently changing data.

To enable this longer-lived cache add the following attribute to the main connector element:

  • cacheTime - the length of time, in seconds, to cache the attributes fetched by this definition