问题
OKTA is IdP and Shibboleth is SP in this setting. OKTA is passing attribute 'roles' something like idp_dev_SLAN_Power, idp_dev_SLAN_Admin, idp_dev_SLAN_account, etc
I am wondering if I can strip 'idp_dev_SLAN_' out when it takes this attribute.
Here is what I see in the current attribute-map.xml.
<Attribute id="roles" name="roles" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" />
I feel like I can possibly do something with AttributeDecoder. any idea??
回答1:
I think you are probably looking for the Transform type of AttributeResolver which:
applies one or more regular expressions to an input attribute, either replacing its values, or generating new attributes. -- from the Shibboleth Wiki
An example is given:
<AttributeResolver type="Transform" source="displayName">
<Regex match="^(.+) (.+)$" dest="givenName">$1</Regex>
<Regex match="^(.+) (.+)$" dest="sn">$2</Regex>
<Regex match="^(.+) (.+)$">$2, $1</Regex>
</AttributeResolver>
which transforms a displayName into two attributes givenName and sn. But I'm certain you could build a regular expression to grab idp_dev_SLAN_ for the various inbound elements and map those to 1 or more attributes of your desire.
来源:https://stackoverflow.com/questions/54815976/when-using-shibboleth-v3-as-sp-can-i-map-the-attribute-value-in-attribute-ma