Requesting and Changing Attributes
On this page you will find information on how to request attributes and customize them with your Shibboleth service provider module for the applications to be protected.
- Joining an entity category with the service provider
- Requesting attributes via the service provider metadata
- Requesting pairwise-id
- Changing attributes
Joining an entity category with the service provider
For a local service provider to be able to consume the standard released attributes from IDM.nrw, it must belong to the entity category https://sso.rwth-aachen.de/category/rwth.
For this purpose, the following must be entered in the metadata of the service provider in the <Extensions> area:
|
Requesting attributes via the service provider metadata
If the service provider now wants to use one of the attributes recommended by IDM.nrw for general release, its configuration in the <SPSSODescriptor></<SPSSODescriptor> must include the following:
|
If the service provider requires the pairwise-id, the metadata extensions must be adapted:
|
If you want to change an attribute on the service provider side to meet your own needs, you can use "TransformAttributeResolver" for this purpose.
The "Transform" uses the Shared Library plugins.so. For this reason, an additional entry should be made in /etc/shibboleth/shibboleth2.xml:
<OutOfProcess logger="shibd.logger"> <Extensions> <Library path="plugins.so"/> </Extensions> </OutOfProcess> |
Example: Dividing displayName into the first and last name
For this purpose, a correspondent resolver is to be configured in /etc/shibboleth/shibboleth2.xml:
<AttributeResolver type="Transform" source="displayName"> <Regex match="^(.+) (.+)$" dest="givenName">$1</Regex> <Regex match="^(.+) (.+)$" dest="sn">$2</Regex> <Regex match="^(.+) (.+)$">$2, $1</Regex> </AttributeResolver> |
Here, the attribute "displayName" is divided into two addinional attributes, namely "givenName" and "sn", on the one hand, and on the other hand, the display name is assigned the format "last name, firstname". For this purpose, a Regex is defined (here: two Redx groups) and the matches are extracted correspondently.
Example: extracting eduPersonTargetedID
Another example is the attribute "eduPersonTargetedID":
<AttributeResolver type="Transform" source="persistent-id> <Regex match="^https://login.rz.rwth-aachen.de/shibboleth\!https://mein.sp/shibboleth\!(.+)$" dest="uniqueID">$1</Regex> </AttributeResolver> |
OR
<AttributeResolver type="Transform" source="persistent-id"> <Regex match="^(.+)!(.+)!(.+)$" dest="uniqueID">$3</Regex> </AttributeResolver> |
In both examples, the 64 symbol string is extracted out of eduPersonTargetedID and is written into the field "uniqueID".
In the latter example:
- $1 of IdP, who provides eduPersonTargetedID
- $2 of SP, who consumes eduPersonTargetedID
- $3 the 64 symbol long, per SP defined, ID
Example: removing a part of a string (here orgID out of eduPersonEntitlements such as a role string)
If you want to remove a part of the string because the application cannot handle it, you can transform the attribute as follows:
<AttributeResolver type="Transform" source="eduPersonEntitlement"> <Regex match="^(.+):(orgid=.+)$" dest="entitlement">$1</Regex> </AttributeResolver> |
In this case in $1, the old entitlement is saved in "entitlement". In $2, the orgID is available.
Read more:
