Shibboleth V4 Attribute Resolver configuration schema Root of the attribute resolver configuration file. A unique identifier for this Resolver. Defines an attribute definition within this resolver. Attribute definition define the finished attributes to be released by the resolver. Definitions derived from this type need to explicitly include (as a choice) the Dependency, DisplayName, DisplayDescription and Encoder sub elements A boolean flag that indicates whether this attribute definition is only defined because its data is needed elsewhere within the resolver and as such should not be released outside the resolver. A boolean flag that indicates whether this attribute definition and its dependencies are to be resolved in a "first pass", prior to the main resolution. These attributes will be populated into a child context so as to be available to activationConditions. Defines an encoder for an attribute. An attribute encoder is responsible for converting an attribute, and its values, into a protocol specific representation such as a SAML 1 or SAML 2 Attribute. The use of them to produce a SAML NameIdentifier/NameID is DEPRECATED. A scripted predicate which controls whether this encoder will run A boolean indicating whether the encoding should include type information. This is encoding-specific (e.g., for XML it likely involves xsi:type). A reference to a Predicate which controls whether this encoder will run Mutually exclusive with relyingParties A (space separated) list of entities for which this plugin is to be active Mutually exclusive with activationConditionRef Defines a data connector which is used to pull information from local infrastructure. Data connectors pull information from local infrastructure, such as databases and LDAP directories, and make these raw attributes available to attribute definitions for finishing. Time to bypass connector after a failure before trying it again. A list of attribute names to be exported by the resolution process from this data connector. A base type for all attribute resolver plugins: data and principal connectors and attribute definitions A unique identifier for this definition. A reference to a predicate to decide whether this plugin is applicable. Mutually exclusive with [exclude]relyingParties and [exclude]resolutionPhases. A (space separated) list of entities for which this plugin is to be active. Mutually exclusive with activationConditionRef. A (space separated) list of entities for which this plugin is to be inactive. Mutually exclusive with activationConditionRef. A (space separated) list of resolution "phases" for which this plugin is to be active. Mutually exclusive with activationConditionRef. A (space separated) list of resolution "phases" for which this plugin is to be inactive. Mutually exclusive with activationConditionRef. DEPRECATED: Whether to ripple errors produced by the plugin out to the resolver (default is true). Defines a dependency on a specific Attribute Definition. Defines a dependency on a specific Data Connector. attributeNames is a space separated list of attribute names. Property replacement done before "listification"" allAttributes means take all attributes. Property replacement done before conversion One one of the above are allowed. Defines a data connector to use should the parent data connector fail. An (abstract) type that represents a reference to another plugin Performs many to one mapping of source values to a return value. SourceValue strings may include regular expressions and the ReturnValue may include back references to capturing groups as supported by java.util.regex.Pattern. The value to be returned from this value map. A regular expression string to be matched against the incoming value. If true, value matching will be case-sensitive. If true, the SourceValue may match only a substring of the incoming value. By default, it must match the entire value. A attribute definition to pull attribute values from anywhere in the PRC tree The Function to generate the Attribute Values given a PRC The mapped attribute definition performs a many to many mapping from source attributes values provided by the definition's dependencies to values which are returned. Each source value is passed through each defined ValueMap which may result in one or more resulting values. If no ValueMaps match the source value and a DefaultValue is defined, the DefaultValue is used. A source value is mapped to the DefaultValue if none of the ValueMaps result in a match. This string may not contain regular expression back references. If true, the source value is passed thru unmodified. If passThru is enabled, DefaultValue may not contain a string value. An attribute definition that splits the values of the source attribute into an attribute value with a value and scope. Delimiter between the value and scope. Exposes the principal's name as an attribute definition. An attribute definition that splits the source attribute's values based on a regular expression. The regular expression used to split a value. A boolean flag indicating the case sensitivity of the regular expression. DEPRECATED: An attribute definition that creates attributes whose values are SAML 1 NameIdentifiers. The SAML 1 NameFormat of the NameID. The SAML 1 NameQualifier of the NameID. DEPRECATED: An attribute definition that creates attributes whose values are SAML 2 NameIDs. The SAML 2 NameFormat of the NameID. The SAML 2 NameQualifier of the NameID. The SAML 2 SPNameQualifier of the NameID. A basic attribute definition which supports attribute scoping. Value to use for scoping the attribute. Attribute whose values will be used for scoping the attribute. An attribute definition that constructs its attributes by means of a script supported by JSR-223. The script is provided all the edu.internet2.middleware.shibboleth.common.attribute.Attribute object resolved from all the definitions dependencies. The resultant attribute definition must then be bound to a script attribute corresponding to the script variable whose name is the ID of the definition. This variable is injected into the script by the attribute definition. The script to evaluate to construct the attribute. The filesystem path to the script to evaluate to construct the attribute. The JSR-233 name for the scripting language that will be used. By default "javascript" is supported. The name of a bean defined somewhere else which will be injected into the script as an object called "custom". If not supplied, nothing is injected. A basic attribute definition. Do we drop null values (default: FALSE) An attribute definition producing date/time values. Are conversion errors ignored? (default: FALSE) Use seconds as epoch unit instead of millseconds when converting numeric data (default: TRUE) A formatting string to use converting string data. An attribute definition involving an encrypted (DataSealed) attribute Value to use for the decryption key A attribute definition to pull attribute values from the Principals. A short cut looks at IdPAttributePrincipals Provides a plug in point to allow general extraction of values from Principals. Mutually exclusive with principalAttributeName. The id of the IdPAttribute contained within a IdPAttributePrincipal to look for. Mutually exclusive with attributeValueEngineRef. If true, the source Subject is assumed to be undergoing C14N rather than the usual post-authentication source. Defaults to false. An Attribute Definition that constructs its values based on the values of its dependencies using the Velocity Template Language. Dependencies may have multiple values, however multiple dependencies must have the same number of values. In the case of multi-valued dependencies, the template will be evaluated multiples times, iterating over each dependency. Template specified in the Velocity Template Language used to construct attribute values. Name of the velocity engine defined within the application. An ID created by digesting the requesting entityID, an attribute value (usually a user identifier), and a salt. The name of the attribute produced by this data connector. A salt, of at least 16 bytes, used in the computed ID. A base64-encoded salt, of at least 16 bytes, used in the computed ID. The JCE digest algorithm to use, defaults to SHA-1. An encoding type to apply after the digest, defaults to BASE64 but should be set to BASE32. Spring bean reference to a map of overrides that alter salt or suppress generation for particular users/services. Spring bean reference to a BiFunction<ProfileRequestContext,PairwiseId> to obtain the salt. A data connector that can pull information from an LDAP, version 3, directory. A template used to construct the LDAP filter used to query the directory. A space separated list of attributes that should be returned from the query. A space separated list of attributes whose values should be encoded. The X.509 trust information to use when connecting to the directory over LDAPS or startTLS. DEPRECATED in 3.4 Use trustFile= The X.509 client authentication information to use when connecting to the directory over LDAPS or startTLS. DEPRECATED in 3.4 Use authCert= and authKey The URL to the LDAP server. If the search scope is set to ONELEVEL only the entries within this node will be searched, if SUBTREE is specified entries within this node and descendant nodes will be searched. The LDAP connection strategy. Acceptable values are ACTIVE_PASSIVE, ROUND_ROBIN and RANDOM. Default value is ACTIVE_PASSIVE. The base DN from which attribute search filtering occurs The DN for the principal connecting to the LDAP directory. The credential for the principal connecting to the LDAP directory. The LDAP search scope. Acceptable values are OBJECT, ONELEVEL, SUBTREE. Default value is SUBTREE. The LDAP alias dereference behavior. Acceptable values are NEVER, SEARCHING, FINDING, ALWAYS. Default value is NEVER. A boolean flag indicating whether search referrals and search references should be followed. Default value is false. A boolean flag indicating whether startTLS should be used when connecting to the LDAP. Default value is false. The maximum amount of time to wait for startTLS responses. If this limit is reached a timeout error is raised. Default value is 3 seconds. Time is expressed in ISO8601 duration format. The maximum amount of time to wait for search results. If this limit is reached a timeout error is raised. Default value is 3 seconds. Time is expressed in ISO8601 duration format. The maximum amount of time to wait for connections to open. If this limit is reached a timeout error is raised. Default value is 3 seconds. Time is expressed in ISO8601 duration format. The maximum amount of time to wait for operation responses. If this limit is reached a timeout error is raised. Default value is 3 seconds. Time is expressed in ISO8601 duration format. A boolean flag indicating whether unexpectedly closed connections should automatically attempt to reconnect. Default value is true. The maximum amount of time to wait for a reconnect to occur. If this limit is reached a timeout error is raised. Default value is 10 seconds. Time is expressed in ISO8601 duration format. The maximum number of results that may be returned from a query. Default value is 1. A boolean flag indicating whether a query returning no results should be considered an error. If an error is raised and a failover dependency is defined for this connector the failover will be invoked. Default value is false. A boolean flag indicating whether a query returning more than one result should be considered an error. If an error is raised and a failover dependency is defined for this connector the failover will be invoked. Default value is false. Whether to lowercase LDAP attribute names used as IDs for shibboleth attributes Name of the template engine defined within the application. Reference to a Spring bean providing the ExecutableSearchBuilder implementation to use. Reference to a Spring bean providing the MappingStrategy implementation to use. Reference to a Spring bean providing the Connection Factory implementation to use. Reference to a Spring bean providing the Search Operation implementation to use. Reference to a Spring bean providing the Validator implementation to use. Path to a file with the X.509 trust information to use when connecting to the directory over LDAPS or startTLS Whether to disable hostname/certificate checking during TLS. Defaults to false. Path to a file with the X.509 trust client authentication certificate to use when connecting to the directory over LDAPS or startTLS Path to a file with the X.509 trust client authentication key to use when connecting to the directory over LDAPS or startTLS Password for the supplied authKey Whether to fail if the LDAP server cannot be verified at startup (defaults to false). A connector for pairwise ID production that directly leverages a PairwiseIdStore bean. Bean name of the PairwiseIdStore to use. The name of the attribute produced by this data connector. A data connector definition that uses JDBC version 3 to connect to and pull information from a relational database. A connection, or pool of connections, to the database managed by the application container. A connection, or pool of connections, to the database managed by the data connector. A connection, or pool of connections, to the database configured in a Spring bean. A template that will be used to create the SQL query thats pulls information from the database. Timeout for the queries made to the database. Timeout is given in ISO8601 duration form. A boolean flag indicating whether a query returning no results should be considered an error. If an error is raised and a failover dependency is defined for this connector the failover will be invoked. Default value is false. A boolean flag indicating whether a query returning more than one result should be considered an error. If an error is raised and a failover dependency is defined for this connector the failover will be invoked. Default value is false. Name of the template engine defined within the application. Reference to a Spring bean providing the ExecutableSearchBuilder implementation to use. Reference to a Spring bean providing the MappingStrategy implementation to use. Reference to a Spring bean providing the Validator implementation to use. Whether to fail if the DataConnector cannot be verified at startup (defaults to false). A data connector definition that issues requests and parses responses using HTTP, typically via a form of web service. REST and scripted handling of responses, typically in JSON, is the primary use case. A template that will be used to create the absolute URL to request. A template that will be used to create a body to POST. A template that will be used to create a key to the caching of the results. Maps the response into attributes by means of scripting. Reference to a Spring bean providing the HttpClient to use. Reference to a Spring bean providing the HttpClientSecurityParameters to use. Location of certificate to authenticate HTTP server Location of CA to indirectly authenticate HTTP server Location of private key to authenticate with via TLS Location of client certificate to authenticate with via TLS Name of the template engine defined within the application. Maximum size of response body to accept. A space-delimited list of HTTP status codes that should be treated as successful. A space-delimited list of MIME content types that should be accepted. Reference to a Spring bean providing a Map<String,String> of request headers to set. Reference to a Spring bean providing the ExecutableSearchBuilder implementation to use. Reference to a Spring bean providing the MappingStrategy implementation to use. Reference to a Spring bean providing the Validator implementation to use. Whether to fail if the HTTP server cannot be verified at startup (defaults to false). No verification takes place currently. A data connector that constructs attributes by means of a script supported by JSR-223. Populated Attributes are added to the java.util.Collection "connectorResults". The script to evaluate to construct the attribute. The filesystem path to the script to evaluate to construct the attribute. The JSR-233 name for the scripting language that will be used. By default "javascript" is supported. The name of a bean defined somewhere else which will be injected into the script as an object called "custom". If not supplied, nothing is injected. A data connector that gets its information from a static list of attributes and values specified within this configuration. Specifies an attribute, and its values, to be exposed by this connector. A value of the attribute. If the value contains characters that would otherwise need to be XML encoded you may wrap the value in a CDATA section. The ID of the attribute. The name of a bean defined somewhere else which describes a List of IdPAttributes A data connector definition that queries for a record via the IdP's StorageService API. Simple and scripted handling of records, typically in JSON, is the primary use case. A template that will be used to create the context to query. A template that will be used to create the key to query. Maps the record into attributes by means of scripting. Mutually exclusive with generatedAttributeID attribute. Reference to Spring bean of the StorageService to use. Injected object into Context/Key template building process. The name of the attribute produced by this data connector if simple record mapping is used. Mutually exclusive with ResponseMapping element. A boolean flag indicating whether a search returning no record should be considered an error. If an error is raised and a failover dependency is defined for this connector the failover will be invoked. Default value is false. Name of the template engine defined within the application. Reference to a Spring bean providing the ExecutableSearchBuilder implementation to use. Reference to a Spring bean providing the MappingStrategy implementation to use. A connector that retrieves a pairwise ID from a database. A connection, or pool of connections, to the database managed by the application container. A connection, or pool of connections, to the database configured in a Spring bean. Timeout for the queries made to the database. Timeout is given in ISO8601 duration form. Number of retries if insert fails (defaults to 3). Overrides name of database table to use. Whether to fail if the store cannot be verified at startup (defaults to false). A space-delimited list of SQLState codes to treat as retryable (indicating a duplicate insert error occurred). The name of the attribute produced by this data connector. A salt, of at least 16 bytes, used in the computed ID. A base64-encoded salt, of at least 16 bytes, used in the computed ID. The JCE digest algorithm to use, defaults to SHA-1. An encoding type to apply after the digest, defaults to BASE64 but should be set to BASE32. Spring bean reference to a map of overrides that alter salt or suppress generation for particular users/services. Spring bean reference to a BiFunction<ProfileRequestContext,PairwiseId> to obtain the salt. A data connector that constructs attributes by extracting all IdPAttributePrincipal objects found within the Subject(s) associated with the requests. This is a streamlined approach to extracting them one by one with the SubjectDerivedAttribute plugin provided encoding and other attribute metadata can be obtained from the system's generalized transcoding facility. A boolean flag indicating whether an absence of any results will cause an error. If an error is raised and a failover dependency is defined for this connector the failover will be invoked. Default value is false. If true, the source Subject is assumed to be undergoing C14N rather than the usual post-authentication source. Defaults to false. A connector for extracting mapped/decoded metadata tags from a peer's metadata. Bean ID of a Function to locate the SAMLMetadataContext to operate on. Default is to locate it under the inbound message context via SAMLPeerEntityContext. The name of the database column. The name of the attribute that data from this column should be added to. SASL configuration properties. Common properties include javax.security.sasl.qop, javax.security.sasl.strength, javax.security.sasl.server.authentication. The SASL mechanism. Common values are EXTERNAL, DIGEST_MD5, CRAM_MD5, GSSAPI SASL authorization ID. The SASL realm. The minimum number of ldap connections that should always be available in the pool. Note that these connections are provisioned as soon as the pool is initialized. Default value is 0. The maximum number of ldap connections that should ever be available in the pool. Note that when this threshold is reach the pool will begin blocking until a connection is available. Default value is 3. Amount of time to block while waiting for a connection from the pool. If no wait time is given, callers will block indefinitely. Values are expressed in ISO8601 duration format. Whether each ldap connection should be checked on a periodic basis. Default value is false. Time that the periodic pool validation process should repeat. Ldap objects are pruned when they have been idle beyond the expiration time. The pool is not pruned below the minimum pool size. Default value is 30 minutes. Period is expressed in ISO8601 duration format. Ldap compare DN to use for connection validation. Used in conjunction with validateFilter to perform a compare. Default value is empty. Ldap compare filter to use for connection validation. Used in conjunction with validateDN to perform a compare. Default value is (objectClass=*). Whether to validate connections when checking them out of the pool. Duration between looking for idle connections to reduce the pool back to its minimum size. Time in that an object in the pool should be considered stale and ready for removal. Time is expressed in ISO8601 duration format. Name of the CacheManager bean that will manage the result cache. This is not used. Length of time a result will be cached after the last access. Incompatible with expireAfterWrite. Duration is expressed in ISO8601 duration notation. Length of time a result will be cached from the time it is inserted into the cache. Incompatible with expireAfterAccess. Duration is expressed in ISO8601 duration notation. Maximum number of results that will be held in cache. Describes a database connection source that is managed by the application container. The resource name the DataSource is bound to in the JNDI tree. The name of the property. The value of the property, Describes a simple database connection source that is managed by the attribute resolver data connector. Included to "get people going" only This is the full qualified class name of the JDBC driver used to connect to the database. The JDBC URL for the database. These are usually of the form jdbc:databaseProduceName:databaseSpecificInformation. For example, jdbc:hsql:mem:MyDatabase The user name to use while connecting to the database. The password to use while connecting to the database. Defines a SAML 1 string encoder for an attribute. The SAML 1 Namespace of the attribute. Defines a SAML 1 Base64 encoder for an attribute. The SAML 1 Namespace of the attribute. Defines a SAML 1 Base64 encoder for an attribute. The SAML 1 Namespace of the attribute. Defines a SAML 2 string encoder for an attribute. The SAML 2 NameFormat of the attribute. The SAML 2 FriendlyName of the attribute. Defines a SAML 2 date/time encoder for an attribute. The SAML 2 NameFormat of the attribute. The SAML 2 FriendlyName of the attribute. Defines a SAML 2 Base64 encoder for an attribute. The SAML 2 NameFormat of the attribute. The SAML 2 FriendlyName of the attribute. Defines a SAML 2 Base64 encoder for an attribute. The SAML 2 NameFormat of the attribute. The SAML 2 FriendlyName of the attribute. Defines an encoder for a scoped attribute. The type of scoping to use for the encoded attribute. Valid values are "inline" or "attribute". If scopeType is "inline", this is the delimeter used between the attribute value and scope. If scopeType is "attribute", this is the name of the name of the attribute used to carry the scope value. Defines a SAML 1 string encoder for a scoped attribute. The SAML 1 Namespace of the attribute. Defines a SAML 2 string encoder for a scoped attribute. The SAML 2 NameFormat of the attribute. The SAML 2 FriendlyName of the attribute. A type for elements that allow for scripts to be declared inline or via a resource. The script to evaluate to construct the attribute. Path of a local resource containing the script to evaluate to construct the attribute. The JSR-233 name for the scripting language that will be used. By default "javascript" is assumed. The name of a bean defined somewhere else which will be injected into the script as an object called "custom". If not supplied, nothing is injected.