Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Indicated by type="Query", the Query attribute resolver issues a SAML attribute query back to the IdP that issued a SSO assertion if no attributes are pushed. This is compatible with legacy Shibboleth behavior. Obviously, metadata for a compatible attribute authority must be available.

After execution, the resolver applies the attribute extractor and filter configured for the application before returning the resulting attributes.

NameSpaces

This page refers to several different namespaces as detailed below

NameSpaceURIDescription
saml

urn:oasis:names:tc:SAML:1.0:assertion

SAML1 assertion namespace
saml2

urn:oasis:names:tc:SAML:2.0:assertion

SAML2 assertion namespace

Attributes


NameTypeDefaultDescription
policyId string

Optional identifier of a customized security policy to use.

subjectMatch booleanfalseIf true, enforces SAML "strong matching" requirements on the subject of the resulting assertions. By default, the IdP is trusted to return an assertion about the queried subject without explicitly comparing the result.
exceptionId string
Optional identifier of a special attribute to create in the event of a "transient" failure during the query. Errors are considered transient if they are caused by system outages or misconfiguration. If an IdP appears to support the query protocol, then transient errors include any failure to obtain a successful SAML response or a violation of security policy while processing the result. If such errors occur, the attribute will contain one or more URL-encoded exception messages, and the application should be aware that not all of the "usual" attributes it might receive are available

Child Elements

Name

Cardinality

Description

<saml2:Attribute>0 or moreSupplies a set of attribute and value filters to include in any SAML 2.0 queries.
<saml1:AttributeDesignator>0 or more

Supplies a set of attribute designators to include in any SAML 1.x queries.

Example

<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query" subjectMatch="true"/>
  • No labels