<AttributeExtractor> element configures the component used by the SP to turn SAML content into "attributes", the internal/neutral representation of information stored within user sessions. With the exception of a few built-in data elements associated with each session, most of the data an application is able to access about a session is made up of the internal attributes that are produced by using one or more attribute extractors.
The SP generally invokes the extraction step following the acceptance of assertions during SSO and as a result of secondary attribute resolution from SAML-based sources such as an Attribute Authority. Extraction is generally followed by a filtering step that can apply rules over what attributes or values to accept.
In general, extractors can be handed many different XML element types and are free to process them or ignore them as their implementation or configuration dictates.
Like most plugins, the
type attribute determines which type of plugin to use. Each type supports its own attributes and child elements.
|XML||The main type used by most deployments, implements an XML-based rule syntax for decoding SAML attributes and name identifiers into internal attributes|
|KeyDescriptor||Exposes the signing/TLS or encryption keys advertised in an IdP's metadata as attributes|
|Delegation||Exposes content from within a SAML DelegationRestriction condition as attributes|
|Assertion||Exposes specific "built-in" content from within a SAML assertion as attributes|
|Metadata||Exposes specific "built-in" content from within SAML metadata as attributes|
Implements an XML-based rule syntax for decoding GSS-API naming extensions into internal attributes
<AttributeExtractor> plugins support the following attributes:
Specifies the type of AttributeExtractor plugin to use