attribute-resolver.xml

<?xml version="1.0" encoding="UTF-8"?>
<!--
    This file is an EXAMPLE configuration file. While the configuration
    presented in this example file is semi-functional, it isn't very
    interesting. It is here only as a starting point for your deployment
    process.

    Very few attribute definitions and data connectors are demonstrated,
    and the data is derived statically from the logged-in username and a
    static example connector.

    Attribute-resolver-full.xml contains more examples of attributes,
    encoders, and data connectors. Deployers should refer to the Shibboleth
    documentation for a complete list of components and their options.
-->
<AttributeResolver
        xmlns="urn:mace:shibboleth:2.0:resolver"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">


    <!-- ========================================== -->
    <!--      Attribute Definitions                 -->
    <!-- ========================================== -->

    <!--
    The EPPN is the "standard" federated username in higher ed.
    For guidelines on the implementation of this attribute, refer
    to the Shibboleth and eduPerson documentation. Above all, do
    not expose a value for this attribute without considering the
    long term implications.
    -->
    <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}">
        <InputAttributeDefinition ref="uid" />
        <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
    </AttributeDefinition>

    <!--
    The uid is the closest thing to a "standard" LDAP attribute
    representing a local username, but you should generally *never*
    expose uid to federated services, as it is rarely globally unique.
    -->
    <AttributeDefinition id="uid" xsi:type="PrincipalName">
        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
    </AttributeDefinition>

    <!--
    In the rest of the world, the email address is the standard identifier,
    despite the problems with that practice. Consider making the EPPN
    value the same as your official email addresses whenever possible.
    -->
    <AttributeDefinition id="mail" xsi:type="Template">
        <InputAttributeDefinition ref="uid" />
        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
        <Template>
          <![CDATA[
               ${uid}@example.org
          ]]>
        </Template>
        <SourceAttribute>uid</SourceAttribute>
    </AttributeDefinition>

    <!--
    This is an example of an attribute sourced from a data connector.
    -->
    <AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="%{idp.scope}">
        <InputDataConnector ref="staticAttributes" attributeNames="affiliation" />
        <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
    </AttributeDefinition>


    <!-- ========================================== -->
    <!--      Data Connectors                       -->
    <!-- ========================================== -->

    <DataConnector id="staticAttributes" xsi:type="Static">
        <Attribute id="affiliation">
            <Value>member</Value>
        </Attribute>
    </DataConnector>

</AttributeResolver>
	<?xml version="1.0" encoding="UTF-8"?>
	<!--
	This file is an EXAMPLE configuration file. While the configuration
	presented in this example file is semi-functional, it isn't very
	interesting. It is here only as a starting point for your deployment
	process.

	Very few attribute definitions and data connectors are demonstrated,
	and the data is derived statically from the logged-in username and a
	static example connector.

	Attribute-resolver-full.xml contains more examples of attributes,
	encoders, and data connectors. Deployers should refer to the Shibboleth
	documentation for a complete list of components and their options.
	-->
	<AttributeResolver
	xmlns="urn:mace:shibboleth:2.0:resolver"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">


	<!-- ========================================== -->
	<!-- Attribute Definitions -->
	<!-- ========================================== -->

	<!--
	The EPPN is the "standard" federated username in higher ed.
	For guidelines on the implementation of this attribute, refer
	to the Shibboleth and eduPerson documentation. Above all, do
	not expose a value for this attribute without considering the
	long term implications.
	-->
	<AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}">
	<InputAttributeDefinition ref="uid" />
	<AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
	<AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
	</AttributeDefinition>

	<!--
	The uid is the closest thing to a "standard" LDAP attribute
	representing a local username, but you should generally never
	expose uid to federated services, as it is rarely globally unique.
	-->
	<AttributeDefinition id="uid" xsi:type="PrincipalName">
	<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
	<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
	</AttributeDefinition>

	<!--
	In the rest of the world, the email address is the standard identifier,
	despite the problems with that practice. Consider making the EPPN
	value the same as your official email addresses whenever possible.
	-->
	<AttributeDefinition id="mail" xsi:type="Template">
	<InputAttributeDefinition ref="uid" />
	<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
	<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
	<Template>
	<![CDATA[
	${uid}@example.org
	]]>
	</Template>
	<SourceAttribute>uid</SourceAttribute>
	</AttributeDefinition>

	<!--
	This is an example of an attribute sourced from a data connector.
	-->
	<AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="%{idp.scope}">
	<InputDataConnector ref="staticAttributes" attributeNames="affiliation" />
	<AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
	<AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
	</AttributeDefinition>


	<!-- ========================================== -->
	<!-- Data Connectors -->
	<!-- ========================================== -->

	<DataConnector id="staticAttributes" xsi:type="Static">
	<Attribute id="affiliation">
	<Value>member</Value>
	</Attribute>
	</DataConnector>

	</AttributeResolver>