Skip to main content
Skip table of contents

Identity Provider - Mapped Attribute Management

Version 3.8.4 introduces a simplified workflow for defining Mapped Attributes. Previously handled through manual JSON configuration, these attributes can now be managed via a centralized "Add Mapped Attribute" interface.

Key Improvements

  • Automated JSON/XML Synchronization: Changes made in the UI are automatically reflected in both idp-attributes.json and the custom-attribute-resolver.xml file, ensuring consistency across the IdP attribute resolver service.

  • Simplified Transformation Logic: Use the "Create Value Map" UI to define how raw data from your data store should be transformed before being sent to Service Providers (SPs).

Configuration Example: Group Attribute Mapping

To map an Active Directory memberOf string to a simplified group name:

  1. Input Attribute: Set to memberOf.

  2. Value Map - Source Value: Enter a regex such as CN=([^,]+).* to extract specific group names.

  3. Return Value: Set to $1 to return the first captured group from the regex.

  4. Protocol Support: Enable encoders for SAML1, SAML2, or OIDC as required by your environment.

image-20251118-084554.png

Clicking this button opens a page to enter data for creating a mapped attribute for the IdP. The interface resembles other attribute creation screens but includes a create value map UI:

image-20251118-085212.png


This representation enables users to generate a value map of this type in idp-attributes.json:

CODE 
 "mappedAttributes": [
        {
            "id": "group_attr",
            "enabled": true,
            "samlEnabled": true,
            "encoders": [
                {
                    "type": "SAML1",
                    "name": "group_attr"
                },
                {
                    "type": "SAML2",
                    "name": "group_attr"
                },
                {
                    "type": "OIDC",
                    "name": "group_attr"
                }
            ],
            "inputAttribute": "memberOf",
            "passThru": false,
            "valueMaps": [
                {
                    "returnValue": "$1",
                    "sourceValues": [
                        {
                            "value": "CN=([^,]+).*",
                            "partialMatch": false,
                            "caseSensitive": true
                        }
                    ]
                }
            ]
        },
        .....
    ],

Validation

Administrators can verify the resulting configuration by checking the AttributeDefinition in the system's custom-attribute-resolver.xml. A successful configuration will generate a xsi:type="Mapped" definition matching the UI parameters.
This AttributeDefinition matches the specification in https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199503134/MappedAttributeDefinition.

CODE 
  <AttributeDefinition id="group_attr" xsi:type="Mapped" >
    <InputAttributeDefinition ref="memberOf"/>
    <DefaultValue passThru="false"/>
    <ValueMap>
      <ReturnValue>$1</ReturnValue>
      <SourceValue caseSensitive="true" partialMatch="false">CN=([^,]+).*</SourceValue>
    </ValueMap>
  </AttributeDefinition>
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close