Shibboleth at NC State » Technical Documentation » Advanced SP Configuration » Mapping Attributes to Variables

Mapping Attributes to Variables

By default, the SP ignores SAML information about users provided by the IdP unless you specifically tell it how and what to process. This processing is accomplished by providing an attribute-map.xml configuration file that will tell the SP how to map SAML attributes to environment variables that you can use in your web applications.

This page describes the SAML Attributes Provided by the NC State IdP. It also proposes a standard set of environment variable names that we will use on our Service Providers when we map attributes. Our suggested mapping file can be downloaded from here:

This file includes all of the variable names as suggested by the page linked above. If you followed our configuration documentation, you should have installed a copy of this file on your server.

Efficient Mapping

The SP Add Attribute page on the Shibboleth Wiki recommends: "For efficiency, it's suggested that you enable or define mappings for only the information your applications care about."

The file above already has the NC State student and employee attributes commented out. These attributes require a special request, so they will not usually be used by most SPs. You should review the other attributes in the map file and comment out any attributes that you will not be using.

<!-- Comment out this attribute, we will not use it.
    <Attribute
      name="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
      id="principal" />
-->

Attribute Aliases

Generally, the attribute map file will look for the first match when mapping attributes to variables. This means you cannot map the same attribute to two or more variables by duplicating the Attribute tag. Instead, you should use aliases.

We have provided one example in our standard map file. We map the attribute for unscoped userid to SHIB_UID by default. We also provide an alias so this same value will be mapped to WRAP_USERID as well. This is done to assist people who are migrating applications from WRAP to Shibboleth.

<Attribute
  name="urn:mace:dir:attribute-def:uid"
  id="SHIB_UID"
  aliases="WRAP_USERID" />
<Attribute
  name="urn:oid:0.9.2342.19200300.100.1.1"
  id="SHIB_UID"
  aliases="WRAP_USERID" />

The SP Attribute Extractor page on the Wiki warns: "The aliases feature is deprecated and may be removed from a future release, consider revising to use the AttributeResolver." We do not have an example on how to do this kind of mapping using AttributeResolver as suggested.