<
md:RequestedAttribute
FriendlyName
=
"sn"
Name
=
"urn:oid:1.3.6.1.4.1.25178.1.2.10"
NameFormat
=
"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired
=
"true"
/>
<
md:RequestedAttribute
FriendlyName
=
"givenName"
Name
=
"urn:oid:1.3.6.1.4.1.25178.1.2.10"
NameFormat
=
"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired
=
"true"
/>
<
md:RequestedAttribute
FriendlyName
=
"idmNrwDocumentSurname"
Name
=
"urn:oid:1.3.6.1.4.1.22177.400.1.2.1.2"
NameFormat
=
"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired
=
"true"
/>
<
md:RequestedAttribute
FriendlyName
=
"idmNrwDocumentGivenName"
Name
=
"urn:oid:1.3.6.1.4.1.22177.400.1.2.1.1"
NameFormat
=
"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired
=
"true"
/>
<
md:RequestedAttribute
FriendlyName
=
"eduPersonScopedAffiliation"
Name
=
"urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
NameFormat
=
"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired
=
"true"
/>
<
md:RequestedAttribute
FriendlyName
=
"mail"
Name
=
"urn:oid:0.9.2342.19200300.100.1.3"
NameFormat
=
"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired
=
"true"
/>
<
md:RequestedAttribute
FriendlyName
=
"schacHomeOrganizationType"
Name
=
"urn:oid:1.3.6.1.4.1.25178.1.2.10"
NameFormat
=
"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired
=
"true"
/>
</
md:AttributeConsumingService
>
If the service provider requires the pairwise-id, the metadata extensions must be adapted:
|
If you want to change an attribute on the service provider side to meet your own needs, you can use "TransformAttributeResolver" for this purpose.
The "Transform" uses the Shared Library plugins.so. For this reason, an additional entry should be made in /etc/shibboleth/shibboleth2.xml:
<OutOfProcess logger="shibd.logger"> <Extensions> <Library path="plugins.so"/> </Extensions> </OutOfProcess> |
Example: Dividing displayName into the first and last name
For this purpose, a correspondent resolver is to be configured in /etc/shibboleth/shibboleth2.xml:
<AttributeResolver type="Transform" source="displayName"> <Regex match="^(.+) (.+)$" dest="givenName">$1</Regex> <Regex match="^(.+) (.+)$" dest="sn">$2</Regex> <Regex match="^(.+) (.+)$">$2, $1</Regex> </AttributeResolver> |
Here, the attribute "displayName" is divided into two addinional attributes, namely "givenName" and "sn", on the one hand, and on the other hand, the display name is assigned the format "last name, firstname". For this purpose, a Regex is defined (here: two Redx groups) and the matches are extracted correspondently.
Example: extracting eduPersonTargetedID
Another example is the attribute "eduPersonTargetedID":
<AttributeResolver type="Transform" source="persistent-id> <Regex match="^https://login.rz.rwth-aachen.de/shibboleth\!https://mein.sp/shibboleth\!(.+)$" dest="uniqueID">$1</Regex> </AttributeResolver> |
OR
<AttributeResolver type="Transform" source="persistent-id"> <Regex match="^(.+)!(.+)!(.+)$" dest="uniqueID">$3</Regex> </AttributeResolver> |
In both examples, the 64 symbol string is extracted out of eduPersonTargetedID and is written into the field "uniqueID".
In the latter example:
Example: removing a part of a string (here orgID out of eduPersonEntitlements such as a role string)
If you want to remove a part of the string because the application cannot handle it, you can transform the attribute as follows:
<AttributeResolver type="Transform" source="eduPersonEntitlement"> <Regex match="^(.+):(orgid=.+)$" dest="entitlement">$1</Regex> </AttributeResolver> |
In this case in $1, the old entitlement is saved in "entitlement". In $2, the orgID is available.
Read more: