Search code examples
shibboleth

Multiple attribute-resolver.xml for different SPs

I have different SPs that use my IDP Shibboleth, but for each of them I want to send different attributes in the SAML response.

Is there a way to achieve this? Maybe use different attribute-resolver files, or maybe the same one but with some configuration on the AttributeDefinition that I can set so that shibboleth knows what values to resolve?

I haven't found anything regarding this on their wiki.

Solution

  • I would suggest you look into the topic of attribute mapping. With this, you can define filters on your Service Providers. Collect all attributes you need for all SPs on your IDP and then filter the ones you need on your Service Provider.

    Example: SP 1 needs an attribute called email_1 and SP 2 needs email_2. Then your attribute-resolver.xml might look something like this:

    <AttributeDefinition xsi:type="Simple" id="email_1">
        <InputDataConnector ref="myDB" attributeNames="email_1"/>
        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid"/>
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="email_1" encodeType="false"/>
    </AttributeDefinition>

<AttributeDefinition xsi:type="Simple" id="email_2">
        <InputDataConnector ref="myDB" attributeNames="email_2"/>
        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid2"/>
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.4" friendlyName="email_2" encodeType="false"/>
    </AttributeDefinition>

<DataConnector id="myDB" xsi:type="RelationalDatabase">
        <SimpleManagedConnection jdbcDriver="com.mysql.jdbc.Driver"
                                 jdbcURL="jdbc:mysql://localhost:3306/login"
                                 jdbcUserName="bla"
                                 jdbcPassword="blabla"/>
        <QueryTemplate>
            <![CDATA[
                SELECT
                    mail_1,
                    mail_2
                FROM login
                WHERE
                    mail_1 = '$resolutionContext.principal'
            ]]>
        </QueryTemplate>
        <Column columnName="mail_1" attributeID="mail_1"/>
        <Column columnName="mail_2" attributeID="mail_2"/>
    </DataConnector>

    Then, on your Service Provider 1 in attribute-map.xml, you filter out only the attribute you need:

    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail_1" />
<Attribute name="urn:mace:dir:attribute-def:uid" id="mail_1" />

    So when the SP1 receives both mail_1 and mail_2 attributes, mail_2 will be rejected because it's not in your attribute-map.xml file.