<AttributeResolver> element configures components that can be enabled to obtain additional attributes about the logged-in user following a SSO event, as well as transforming or creating new attributes internally.
During SSO, the IdP can (and generally does) supply attributes in a "push" fashion inside the SAML assertions it issues. These attributes are decoded with an AttributeExtractor and cached with the user's session. The purpose of a resolver plugin is to "pull" attributes from additional sources or to transform existing attributes in some way.
Like most plugins, the
type attribute determines which type of plugin to use. Each type supports its own attributes and child elements.
|Query||Issues a SAML AttributeQuery to the originating IdP to obtain attributes when they are omitted from the original assertion|
Issues one or more SAML Attribute Queries to third-party Attribute Authorities independent of the originating IdP using identifier(s) obtained during SSO
|Transform||Applies one or more regular expressions to an input attribute, either replacing its values, or generating new attribute(s)|
|Template||Plugs values from one or more existing attributes into a template string that can combine the original attributes into a new attribute|
|UpperCase||Converts the values of an attribute into upper case, either replacing its values, or generating a new attribute|
|LowerCase||Converts the values of an attribute into lower case, either replacing its values, or generating a new attribute|
<AttributeResolver> plugins support the following attributes:
Specifies the type of AttributeResolver plugin to use