Page tree
Skip to end of metadata
Go to start of metadata


Identified by type="SimpleAggregation", this AttributeResolver supports a primitive form of aggregation of attributes from multiple sources of authority through the use of SAML 2.0 attribute queries using an identifier derived from the attributes obtained prior to this plugin executing. In other words, the original data is used as input to form follow-up requests to other sources.

This simple form of aggregation relies on a plain-text identifier (which could be pseudonymous but is still "seen" by the SP) as a "link" to accounts at other SAML attribute authorities. Furthermore, this plugin only supports the same forms of authentication usable when making primary attribute queries with the Query plugin. This includes mechanisms like client TLS, message signing, or some forms of HTTP authentication, but is not "presence-oriented"; that is, there is no proof supplied the user is "present" at the SP, so there are no constraints on when the SP could perform such queries.

Conceptually, you can think of this mechanism as equivalent to a networked set of LDAP or X.500 directories queried by DN, merely in SAML terms. It is, however, relatively easy to implement and support when there are batch processes in place for the exchange of identity data to establish the links. No user intervention is required, which is a plus for simplicity but a minus for privacy and user control.

After each query is performed, the resolver applies the attribute extractor and filter plugin(s) configured for the application before continuing with other queries and eventually returning the resulting attributes. Each filtering step will operate on only the attributes extracted as a result of a particular query, and the filter policies can be expressed in terms of the actual "issuer" of each set of attributes for fine-grained control.


XML Namespaces

This page refers to the following XML namespaces:

PrefixNamespace URIDescription


SAML 2.0 Assertion namespace


The following optional attributes are supported:

policyId string

Optional identifier of a customized security policy to use when performing the query

attributeId whitespace-delimited list of strings
Optional list of attribute IDs to search for a value to use as the identifier in the queries performed. The first attribute value found will be used as the value of the <NameID> in the query. If this attribute is omitted, the original <NameID> supplied by the user's original IdP is simply copied directly.
format URI
Optional value to use as the Format attribute in a "generated" <NameID> element created from an arbitrary source attribute using the attributeId setting above. This value is ignored if the attributeId setting is omitted, or if the specified attribute used is a so-called "NameID-valued" attribute that resulted from a NameID-aware attribute decoder
subjectMatch booleanfalseIf true, enforces SAML "strong matching" requirements on the subject of the resulting assertions. By default, each AA is trusted to return an assertion about the queried subject without explicitly comparing the result.
exceptionId string

Optional identifier of a special attribute to create in the event of a "transient" failure during the aggregation process. Errors are considered transient if they are caused by system outages or misconfiguration. If an IdP appears to support the query protocol, then transient errors include any failure to obtain a successful SAML response or a violation of security policy while processing the result.

If such errors occur, the attribute will contain one or more URL-encoded exception messages, and the application should be aware that not all of the "usual" attributes it might receive are available.

Child Elements

The following optional child elements are supported:




<Entity>0 or moreThe value of the element is an entityID to query against. Metadata for a SAML 2.0 Attribute Authority role must be available.
<EntityReference>0 or moreThe value of the element is the ID of an attribute available for the user. Each of the attribute's serialized values is interpreted as an entityID, as per the <Entity> element above.
<saml2:Attribute> 0 or more

Supplies a set of attribute and value filters to include in any queries

<MetadataProvider>0 or 1Supplies a dedicated MetadataProvider to use in place of the application-defined source.
<TrustEngine>0 or 1

Supplies a dedicated TrustEngine to use in place of the application-defined engine.

<AttributeExtractor>0 or 1

Supplies a dedicated AttributeExtractor to use in place of the application-defined extractor.

Note that the <Entity> and <EntityReference> elements can be supplied in any order, and are processed in the order they appear, with a query attempt per entityID obtained.


SimpleAggregation Example
<!-- Uses eduPersonPrincipalName from IdP to query, and asks for eduPersonEntitlement. -->
<AttributeResolver type="SimpleAggregation" attributeId="eppn" format="urn:oid:">
    <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Name="urn:oid:" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonEntitlement"/>
  • No labels