Transform SessionInitiator

Advanced Configuration

Note, this is an advanced configuration feature. Most deployments can rely on the <SSO> shorthand element.

1 Advanced Configuration
2 Attributes
- 2.1 Common Attributes
- 2.2 Specific Attributes
3 Child Elements
4 Query String Parameters
- 4.1 Common Parameters
- 4.2 Specific Parameters
5 Example

Identified by type="Transform", this initiator transforms an entityID according to a set of permutations until IdP metadata can be found. No specific protocol support is assumed; the first entityID for which a valid <md:IDPSSODescriptor> can be found terminates the handler's activity.

This handler doesn't actually cause a response to the browser, but it generally runs first in a chain, and allows the entityID to be manipulated before other handlers run. It serves a variety of purposes, from transforming user input into an entity to acting as a kind of "redirect" mechanism that turns one entityID into another.

Attributes

Common Attributes

Specific Attributes

Name	Type	Default	Description

Name	Type	Default	Description
alwaysRun	boolean	false	If false, the initial entityID value is looked up, and if metadata is found, the handler exits. Set to true to perform at least one transform on even valid entityID values.

Child Elements

Name	Cardinality		Description

Name	Cardinality		Description
<Subst>	0 or more		Simple transform whose element content consists of a string containing the substring `"$entityID"`, into which the current entityID value is substituted. If the element contains a `force` attribute set to `"true"`, the transform always takes effect. Otherwise the transform is only applied if metadata is found (which terminates the handler).
<Regex>	0 or more		Complex transform containing a `match` attribute containing a regular expression against which the current entityID value is applied, and whose element content contains a replacement expression to run based on the results of the match. Only numeric/positional group references (e.g. $1) are supported. If the element contains a `force` attribute set to `"true"`, the transform always takes effect. Otherwise the transform is only applied if metadata is found (which terminates the handler).

Query String Parameters

The following can be provided via the Initiator Protocol

Common Parameters

Specific Parameters

There are no protocol specific parameters

Example

The example tries a sequence of transforms that allows any of the following to be turned into an InCommon IdP name (currently a URN containing a domain name):

the domain name itself (e.g. osu.edu)
an email address from the domain (e.g. foo@osu.edu)
a subdomain of the domain (e.g. law.osu.edu)

<SessionInitiator type="Transform">
    <Subst>urn:mace:incommon:$entityID</Subst>
    <Regex match=".+@(.+)">urn:mace:incommon:$1</Regex>
    <Regex match="^[^.]+\.(.+)">urn:mace:incommon:$1</Regex>
</SessionInitiator>