When using Shibboleth (v3) as SP , can I map the a

2019-06-07 08:21发布

OKTA is IdP and Shibboleth is SP in this setting. OKTA is passing attribute 'roles' something like idp_dev_SLAN_Power, idp_dev_SLAN_Admin, idp_dev_SLAN_account, etc

I am wondering if I can strip 'idp_dev_SLAN_' out when it takes this attribute.

Here is what I see in the current attribute-map.xml.

<Attribute id="roles" name="roles" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" />

I feel like I can possibly do something with AttributeDecoder. any idea??

标签： attributes shibboleth

1条回答

孤傲高冷的网名

2楼-- · 2019-06-07 09:16

I think you are probably looking for the Transform type of AttributeResolver which:

applies one or more regular expressions to an input attribute, either replacing its values, or generating new attributes. -- from the Shibboleth Wiki

An example is given:

<AttributeResolver type="Transform" source="displayName">
    <Regex match="^(.+) (.+)$" dest="givenName">$1</Regex>
    <Regex match="^(.+) (.+)$" dest="sn">$2</Regex>
    <Regex match="^(.+) (.+)$">$2, $1</Regex>
</AttributeResolver>

which transforms a displayName into two attributes givenName and sn. But I'm certain you could build a regular expression to grab idp_dev_SLAN_ for the various inbound elements and map those to 1 or more attributes of your desire.

0人赞添加讨论(0) 举报

When using Shibboleth (v3) as SP , can I map the a

采纳回答

编辑标签

举报内容

检举类型

检举原因

检举说明(必填)

打开微信“扫一扫”，打开网页后点击屏幕右上角分享按钮

付费偷看金额在0.1-10元之间