[prev in list] [next in list] [prev in thread] [next in thread]
List: shibboleth-users
Subject: RE: Extracting multi value on NameFormat attribute
From: Nate_Klingenstein <ndk () signet ! id>
Date: 2021-02-18 17:12:36
Message-ID: 01010177b6211214-692120ff-6265-4bf5-bc8b-7d90dc57a83d-000000 () us-west-2 ! amazonses ! com
[Download RAW message or body]
Prasanth,
> Are we able to extract multi value sent by idp for this saml attribute - memberOf \
> with above SP configuration?
Yes, you should be able to. The values will all be concatenated by the SP into a \
single string that is ; delimited. You can change the delimiter if you want.
https://wiki.shibboleth.net/confluence/display/SP3/XMLAttributeExtractorExamples
> What is the use of attaching <AttributeDecoder xsi:type="StringAttributeDecoder" \
> caseSensitive="false"/> and <AttributeDecoder xsi:type="ScopedAttributeDecoder"/> ?
caseSensitive="false" is used internally by the SP when it's enforcing access control \
rules or policies on its own, such as with the built-in RequestMapper.
https://wiki.shibboleth.net/confluence/display/SP3/XMLAttributeExtractorExamples
An additional attribute decoder element will generally apply special rules, but the \
StringAttributeDecoder doesn't do much other than allow you to attach flags like \
caseSensitive:
https://wiki.shibboleth.net/confluence/display/SP3/AttributeDecoder
https://wiki.shibboleth.net/confluence/display/SP3/String+AttributeDecoder
The Scoped attribute decoder does a little more. The most important is that it's \
tied to the attribute filter which checks policy to ensure that the scope of the \
attribute matches a valid scope for the IdP in the IdP's metadata.
https://wiki.shibboleth.net/confluence/display/SP3/Scoped+AttributeDecoder
> Are we able to extract multi value sent by IdP for this saml attribute - memberOf \
> with above SP configuration without attaching attribute decoder?
Yes, unless the values are scoped and you want to enforce those attribute policies, \
in which case you'll want to use a Scoped decoder. A String AttributeDecoder is \
defaulted and implicit in an otherwise unqualified extractor.
Best wishes,
Nate.
--------
Signet, Inc.
The Art of Access ®
https://www.signet.id
--
For Consortium Member technical support, see \
https://wiki.shibboleth.net/confluence/x/coFAAg To unsubscribe from this list send an \
email to users-unsubscribe@shibboleth.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic