to Homepage
You are located in service Identity Management
General information
RWTH Single Sign-On (via Shibboleth)
IT Center Help

You are located in service: Identity Management

Changing/transforming attributes
Print page

Changing/transforming attributes

Kurzinformation

If you want to change an attribute on the service provider page to meet your own needs, you can use "TransformAttributeResolver" for this purpose.

The "Transform" uses the Shared Library plugins.so. For this reason, an additional entry should be made in /etc/shibboleth/shibboleth2.xml:

<OutOfProcess logger="shibd.logger">

  <Extensions>

    <Library path="plugins.so"/>

  </Extensions>

</OutOfProcess>

Detailinformation

Example: Dividing displayName into the first and last name

A correspondent resolver is to be configured in /etc/shibboleth/shibboleth2.xml:

<AttributeResolver type="Transform" source="displayName">

    <Regex match="^(.+) (.+)$" dest="givenName">$1</Regex>

    <Regex match="^(.+) (.+)$" dest="sn">$2</Regex>

    <Regex match="^(.+) (.+)$">$2, $1</Regex>

</AttributeResolver>

Here, the attribute "displayName" is divided into two addinional attributes, namely "givenName" and "sn", on the one  hand, and on the other hand, the display name is assigned the format "last name, firstname". For this purpose, a Regex is defined (here: two Redx groups) and the matches are extracted correspondently.

Example: extracting eduPersonTargetedID

Another example is the attribute "eduPersonTargetedID":

<AttributeResolver type="Transform" source="persistent-id>

    <Regex match="^https://login.rz.rwth-aachen.de/shibboleth\!https://mein.sp/shibboleth\!(.+)$" dest="uniqueID">$1</Regex>

</AttributeResolver>

OR

<AttributeResolver type="Transform" source="persistent-id">

    <Regex match="^(.+)!(.+)!(.+)$" dest="uniqueID">$3</Regex>

</AttributeResolver>

In both examples, the 64 symbol string is extracted out of eduPersonTargetedID and is written into the field "uniqueID".

In the latter example:

  • $1 of IdP, who provides eduPersonTargetedID 
  • $2 of SP, who consumes eduPersonTargetedID
  • $3 the 64 symbol long, per SP defined, ID

Example: removing a part of a string (here orgID out of eduPersonEntitlements such as a role string)

If you want to remove a part of the string because the application cannot handle it, you can transform the attribute as follows:

<AttributeResolver type="Transform" source="eduPersonEntitlement">

    <Regex match="^(.+):(orgid=.+)$" dest="entitlement">$1</Regex>

</AttributeResolver>

In this case in $1, the old entitlement is saved in "entitlement". In $2, the orgID is available.

last changed on 03/27/2023

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License
Chat