Page tree

Previous Stable Release

Please note that the V3 release branch is now the previous stable release, with the current stable releases from the V4 branch.
Support for V3 will end on Dec 31, 2020.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

The SubjectDerivedAttribute 3.3 attribute definition exposes attributes values derived from the Subject(s) produced by the authentication flow(s) used to authenticate the subject of the profile request. A configuration shortcut allows for the values from any IdPAttribute objects contained inside IdPAttributePrincipal objects to be pulled out, which is an effective way to tunnel attribute data from outside the IdP provided by the External authentication flow.

Schema Name and Location

This xsi:type is defined by the urn:mace:shibboleth:2.0:resolver namespace 3.3, the schema for which is located at

Prior to V3.3 supplied plugins were defined by a schema type (xsi:type) in the urn:mace:shibboleth:2.0:resolver:ad namespace, whose schema is located at This remains supported, but every element or type in the  urn:mace:shibboleth:2.0:resolver:ad namespace has an equivalently named (but not necessarily identical) version in the urn:mace:shibboleth:2.0:resolver namespace. The use of the  urn:mace:shibboleth:2.0:resolver namespace also allows a relaxation of the ordering requirements of child elements and so a more natural order can be applied.


Any of the common attributes can be specified. Note that this attribute definition does not require a sourceAttributeID attribute since the information is not resolved from a dependent attribute. If one is supplied, it is ignored.

Additionally exactly one of the following must be provided (but not both):

stringThe name of an attribute found inside an IdPAttributePrincipal contained in one of the authenticated Subject(s)
Bean referenceThe name of a Spring Bean implementing Function<Principal, List<IdPAttributeValue>>, this function will be invoked for each Principal found with the authenticated Subject(s)

Child Elements

Any of the common child elements can be specified. Note that this attribute definition does not require a <Dependency> child element since the information is not resolved from a dependent attribute. If any are supplied, then they are ignored.


<AttributeDefinition xsi:type="SubjectDerivedAttribute" id="PD1" principalAttributeName="Whatever">
  • No labels