Attribute Authority, Command Line Interface (AACLI)
The Shibboleth attribute authority (AA) is the part of a provider that's responsible for the inflow and outflow of attributes. Each time an IdP participates in a SAML transaction, the AA undertakes a number of steps to prepare attributes to be sent:
- The AA collects attributes from source systems
Note that with JDBC only Application Managed Connections can be tested, since the AACLI does not run in a container.
- The attributes are processed according to rules and dependencies defined in the resolver;
- The resulting attributes are filtered according to filter policies, SAML metadata information, and attribute query information.
- The attributes are then encoded into SAML attribute statements which may be sent to a relying party.
The attribute authority command line interface (AACLI) allows deployers to exercise their configurations and view the information that would likely be sent back to the relying party for a given SAML transaction. As it is not possible to specify every piece of information that goes into the attribute authority in a running system, the results are only an approximation of what would really be returned.
Running the Command
The attribute authority command line interface is located in the
$IDP_HOME/bin directory and is called
aacli.sh on Unix systems and
aacli.bat on Windows systems. It may take the following information:
Required / Optional
Directory containing the configuration information for the system. If not specified and the
Principal name (user id) of the person to retrieve the attributes about
The SAML entity ID that is requesting the attributes (entity ID of the Service Provider)
The SAML entity ID of the producer/issuer of the attributes
The authentication method URI that the principal was authenticated with
A no-value argument that indicates the resulting attributes should be SAML 1 formated instead of SAML 2
Colon-delimited list of files containing Spring extension configurations
Displays the help message for the tool
Information will be returned in SAML 2 AttributeStatement format (or SAML 1 AttributeStatement format if the
--saml1 parameter is given).
Examples with sample results (Unix)
When no attributes would be released, you will see the "No attribute statement" message:
For your IdP whose AA is configured to release uid, eduPersonPrincipalName, and eduPersonPrimaryAffiliation, successful results will look something like this:
Example command to see what attributes would be released to the testshib.org service provider, whose entity ID is https://sp.testshib.org/shibboleth-sp:
If you receive an exception when you run the aacli.sh script, you may be able to find out more information about the error in the IdP's log file, usually in $IDP_HOME/logs/idp-process.log.