provider exceptions to wildcard attribute maps

Thu, Nov 20, 2008

In the run-up to the 2.0 release, I added some new functionality to the attribute mapping capabilities of the IdP. You can specify a wildcard mapping for all service providers but perhaps you don’t want two or three of them sharing in the fun. Now you can exclude them:

<provider providerId=”*”>
  <mapRef name=“urn:mace:dir:attribute-def:eduPersonTargetedID”/>
  <mapRef name=“urn:mace:dir:attribute-def:eduPersonScopedAffiliation-member”>
    <except>urn:mace:eduserv.org.uk:athens:federation:uk</except>
  </mapRef>
</provider>
The above snippet from map-providers.xml says the IdP should apply the “urn:mace:dir:attribute-def:eduPersonTargetedID” map to all service providers and the “urn:mace:dir:attribute-def:eduPersonScopedAffiliation-member” map to all service providers except “urn:mace:eduserv.org.uk:athens:federation:uk”. This basically means release eduPersonTargetedID to all service providers and eduPersonScopedAffiliation with a scope of “member” to all service providers except OpenAthens.

Of course, if you want to use exlcusion in multiple maps, you can define the service provider as a variable to make it easier to read:

map-vars.xml:

<var name=“OpenAthens” value=“urn:mace:eduserv.org.uk:athens:federation:uk” />
map-providers.xml:
<provider providerId=”*”>
  <mapRef name=“urn:mace:dir:attribute-def:eduPersonTargetedID”/>
  <mapRef name=“urn:mace:dir:attribute-def:eduPersonScopedAffiliation-member”>
    <except>${OpenAthens}</except>
  </mapRef>
</provider>

comments powered by Disqus