test

Sun Java System SAML v2 Plug-in for Federation Services User's Guide

Attribute Mappers

An attribute mapper is used to associate attribute names passed in the <AttributeStatement> of an assertion. A default attribute mapper has been developed for both participants in the SAML v2 interaction, service providers and identity providers. They are defined in the extended metadata configuration files and explained in the following sections:

IDPAttributeMapper

The IDPAttributeMapper interface is used by the identity provider to specify which user attributes will be included in an assertion. The default implementation, com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper, retrieves attribute mappings (SAML v2-attribute=user-attribute) defined in the attributeMap property in the identity provider's extended metadata configuration file. It reads the value of the user attribute from the identity provider's data store, and sets this value as the <AttributeValue> of the specified SAML v2 attribute. The SAML v2 attributes and values are then included in the <AttributeStatement> of the assertion and sent to the service provider. The value of attributeMap can be changed to modify the mapper's behavior without programming. The default mapper itself can be modified to attach any identity provider user attribute with additional programming.

SPAttributeMapper

The SPAttributeMapper interface is used by the service provider to map attributes received in an assertion to its local attributes. The default implementation, com.sun.identity.saml2.plugins.DefaultSPAttributeMapper, retrieves the attribute mappings defined in the attributeMap property in the service provider's extended metadata configuration file. It extracts the value of the SAML v2 attribute from the assertion and returns a key/value mapping which will be set in the user's single sign-on token. The mapper can also be customized to choose user attributes from the local service provider datastore.

ProcedureTo Set Up Attribute Mappers

This procedure will pass the mail and employeeNumber attributes from the identity provider to the service provider.

  1. Export the identity provider's current extended metadata configuration to a file.

    saml2meta [-i staging-directory] export -u amadmin -w password -e IDP-entityID -x IDP-extended-XML-file-name

  2. Edit the attributeMap attribute in the exported extended metadata configuration file to include the user attributes the identity provider will pass to the service provider.

    attributeMap defines the mapping between the provider that this metadata is configuring and the remote provider. This attribute takes a value of autofedAttribute-value=remote-provider-attribute. For example,

    <Attribute name="attributeMap">
<Value>mail=mail</Value>
<Value>employeeNumber=employeeNumber</Value>
</Attribute>

  3. Remove the identity provider's current extended metadata configuration.

    saml2meta [-i staging-directory] delete -u amadmin -w password -e IDP-entityID -c

  4. Import the identity provider's modified extended metadata configuration file.

    saml2meta [-i staging-directory] import -u amadmin -w password -x IDP-extended-XML-file-name

  5. Restart the web container.

  6. Repeat the above steps for the service provider's extended metadata configuration file.

  7. To test, invoke single sign-on from the service provider.

    The assertion contains an AttributeStatement with the mail and employeeNumber attributes which will be set in the single sign-on token.