1 260
szerkesztés
Módosítások
a
When If you need to programatically create new attributes from program (eg. appending generated identifiers), you can use the CustomRule type.
In order to archieve For interoperability, the SAML AttributeStatement carries attribute names with URN-style attribute naming scheme. For example, the 'mail' logical attribute name can be named as <code>'urn:mace:dir:attribute-def:mail'</code>, or <code>'urn:oid:0.9.2342.19200300.100.1.3'</code>. Shibboleth2 further encourages federations to use the latter form (ie. the LDAP oid).
typos, look, etc
[[Image:JRA5Attributes_bigpicture.png|Attributes:The Big Attribute Picture]]
Attributes are travelling on the wire in eduGAIN-defined format, ie. SAML. Naming attributes and defining their contents might be a standardization task of eduGAIN operators; however it should be possible for federations to agree on custom set of attributes ''beyond "eduGAIN commons"''.
Attribute Conversion only adds attributes (or values) to the attribute set; use [[JRA5AttributeFiltering | Attribute Filtering]] for filtering out unnecessary attributes. It also means that if no rules match an attribute, then it will go to the filter unmodified - so conversion works with a '''default by-pass policy'''.
The rule's action is to create new attributes (or to modify existing ones). Please refer to the detailed BasicRule, MergeRule, SplitRule documentation below.
== Attribute conversion rule types ==
The Basic rule is the simplest attribute conversion rule type. It can create one attribute and optionally use one attribute and regular expressions to transform attribute values.
Basic Rule can create static attributes. You can archieve achieve this by omitting the Condition node. The <code>replaceValues </code> parameter is true by default, so if you want to append values to (probably) existing attributes, you must declare it using <code>replaceValues="false"</code>. Also note that you can use multiple AttributeValue nodes.
<source lang="xml">
</source>
The next rule is using remote provider matching to determine whether the remote side has an identifier of 'urn:geant:edugain:be:' and any hungarian Hungarian domain appended to it.
<source lang="xml">
</source>
This example shows how to rename an attribute without converting its values. Note that you must use <code>AttributeMatch </code> without regular expressions to archieve achieve this.
<source lang="xml">
</BasicRule>
</source>
The next example demonstrates the use of regular expression matching groups.
<source lang="xml">
<BasicRule>
<Decription>Transform 'o=org,c=country '-style OrgDN to dnsDNS-based homeOrganization</Decription>
<Condition>
<AttributeMatch attributeName="edupersonOrgDN" id="regex">o=(.*),c=(.*)</AttributeMatch>
</source>
This latter last example needs some more explanation. When you want to reference the regular expression matching groups (enclosed by parentheses), you must define the reference name with the 'id' parameter of <code>AttributeMatch</code>. Then, use <code>${id[0]} </code> to refer to the whole regular expression match (ie. the whole attribute value), and <code>${id[N]} </code> to refer to the Nth. matching group of the regular expression. {{INFO|You cannot reference other rule's regular expressions.}}
=== MergeRule ===
The merge rule can merge two or more attributes into one. The attributes which whose values you want to merge is declared using the InputAttribute node. You can also use the condition node, but only with <code>RemoteProviderMatch </code> (<code>AttributeMatch </code> is ignored).
This example shows how to combine two attribute values:
</source>
You can also use regular expressions, as with '''BasicRule'''.
=== SplitRule ===
The '''SplitRule ''' is very similar to the '''MergeRule''', the only difference is that the '''SplitRule ''' containes one <code>InputAttribute </code> and more <code>Attribute </code> nodes.
<source lang="xml">
<SplitRule>
<Description>Split the edupersonScopedEntitlement edupersonScopedAffiliation to edupersonEntitlement edupersonAffiliation and homeOrganization</Description> <InputAttribute attributeName="edupersonScopedEntitlementedupersonScopedAffiliation" id="scopedEntitlementscopedAffiliation" >^([^@]+)@(.+)$</InputAttribute> <Attribute attributeName="edupersonEntitlementedupersonAffiliation"> <AttributeValue>${scopedEntitlementscopedAffiliation[1]}</AttributeValue>
</Attribute>
<Attribute attributeName="homeOrganization">
<AttributeValue>${scopedEntitlementscopedAffiliation[2]}</AttributeValue>
</Attribute>
</SplitRule>
=== CustomRule ===
<source lang="xml">
</source>
'''CustomRule ''' class must implement the <code>net.geant.edugain.attributes.rules.Rule </code> interface, configuration can be read with the DOM API. Please refer to the Attribute Converter JavaDOC, and see the test package as it containes contains a sample implementation.
== Using attribute name mapper ==
The eduGAIN Attribute Converter library comes with AttributeName an attribute name mapping subsystem. With the help of the attribute name mapper, system administrators can '''system administrators can write the attribute converter configuration independently of the currently used AttributeStatement Attribute attribute name formatin AttributeStatement'''.
=== Attribute name mapper concepts ===
As the attribute conversion sits between two federations (and probably two attribute naming schemes), there are two types of physical attributes: the 'input' and 'output' attributes. Note that these notation is different in Home and Remote BEs: Home BE releases attributes to the eduGAIN federation, Remote BE releases attributes to the local federation. '''So the eduGAIN format is the ''' 'output' attribute format of the Home BE, and the 'input' format of the Remote BE.'''
The following example shows the difference between logical and physical attribute names.
{| border="1"{{wikitable}}
|+ '''Input and output attribute names'''
! Physical input attribute name !! Logical attribute name !! Physical output attribute name
|-
|urn:mace:dir:attribute-def:mail
|rowspan="2"| <center>'''mail'''</center>
|rowspan="2"| urn:mace:dir:attribute-def:mail
|-
