GSSAPIAttributeExtractor

Owned by Rod Widdowson
Last updated: Dec 08, 2021

 

Using this plugin requires that the plugins.so extension library be loaded via the <Extensions> element in the <OutOfProcess> element.

Overview

Identified by type="GSSAPI", this AttributeExtractor implements an XML-based rule syntax for designating GSS-API naming extensions to decode into internal attributes.

GSS-API names or contexts can be processed by encoding the exported data in base64, and wrapping in an <am:GSSName> or <am:GSSContext> element respectively, to meet the constraints of the API, which are based around XML as input.

This extractor's configuration is implemented as a reloadable XML resource, which means that the XML content can be supplied inline, in a local file, or a remote file, and can be monitored for changes and reloaded on the fly (but see the warning below). The root of the XML in any of those cases MUST be an <am:Attributes> element, either as a child element in an existing file or the root of a different file.

Each <am:GSSAPIAttribute> child element installs a rule for extracting a particular GSS naming extension attribute into an internal SP attribute. The source of the attribute is identified with the name XML attributes and internally tagged by the id.

Multiple <am:GSSAPIAttribute> rules can share the same id; the implication is that a given internal name may be mapped from multiple externally-named sources to consolidate multiple sources down into one representation.

Reference

Attributes

Aside from the type="XML" attribute itself, there is no other attribute content specific to this plugin type.

It supports all of the attributes common to all reloadable configuration resources:

Child Elements

The following child element must be provided, either inline, or as the root element of a local or remote XML resource to load from, which would be specified via the attribute(s) above.

Name

Cardinality

Description

Name

Cardinality

Description

<am:Attributes>

1

Root element of configuration

When a non-inline configuration is used, it supports the following child elements common to all reloadable configuration resources.

<am:Attributes> Element Reference

This is the root element of the mapping configuration.

Child Elements

The following child element content is supported:

Name

Cardinality

Description

Name

Cardinality

Description

<am:GSSAPIAttribute>

1 or more

An extraction rule

<am:GSSAPIAttribute> Element Reference

Each <am:GSSAPIAttribute> element describes an extraction rule, the core of this plugin's behavior.

Attributes

An extraction rule supports the following XML attributes:

Name

Type

Req?

Default

Description

Name

Type

Req?

Default

Description

id

string

Y



Name of the attribute to create

name

string

Y



GSS-API naming extension attribute to extract from

authenticated

boolean



true

If true, only authenticated GSS-API naming attributes are processed

scopeDelimeter

character





If set, all values of the naming attribute must contain the character, and it is used to split the value into a two-part construct expressed as a scoped attribute

binary

boolean



false

If set, this overrides the scopeDelimiter option, and causes the attribute's value to be base64-encoded and handled as a binary attribute. The unencoded value can be accessed natively in C++ code, but the serialized values are left encoded.

Examples

A typical non-inline configuration of this plugin is:

Specifying a GSSAPI Extractor in another file
<AttributeExtractor type="GSSAPI" reloadChanges="false" path="gss-api.xml"/>

A simple example configuration:

<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map"> <GSSAPIAttribute name="urn:ietf:params:gss-eap:radius-avp urn:x-radius:1" id="radius-1"/> </Attributes>