HTTPS SSH

The AttributeQuery Handler plugin for Shibboleth SP

About the AttributeQuery Handler plugin

The AttributeQuery Handler plugin is an extension plugin that requests the AttributeStatement assertion based on user's identifier to an IdP and outputs the resulting attribute information in JSON format.

This plugin works on Shibboleth SP 2.5.0 or later.

Activating the AttributeQuery Handler plugin

The AttributeQuery Handler plugin consists of two libraries, attributequery-handler.so for shibd and attributequery-handler-lite.so for web server. You must add each library to the <Extensions> element in the <OutOfProcess> and <InProcess> elements to load this plugin.

Typical Example

<SPConfig>

  <OutOfProcess>
    <Extensions>
      <Library path="attributequery-handler.so" fatal="true"/>
    </Extensions>
  </OutOfProcess>

  <InProcess>
    <Extensions>
      <Library path="attributequery-handler-lite.so" fatal="true"/>
    </Extensions>
  </InProcess>

</SPConfig>

Configuring the AttributeQuery Handler plugin

The AttributeQuery Handler plugin is identified by type="AttributeQuery" in <Handler> element and can handle the following attributes.

Attribute

  • Location (relative path)

    Path used to invoke handler (when appended to the base handlerURL)

  • acl (list of space-delimited IP addresses) (default open access)

    A set of requesting addresses to limit access.

Typical Example

<Handler type="AttributeQuery" Location="/AttributeQuery"
         acl="127.0.0.1 ::1 192.0.2.0/24" />

Requesting to the AttributeQuery Handler plugin

The AttributeQuery Handler plugin requires the following parameters in runtime. The value of each parameter MUST be encoded using URL encoding.

Runtime Parameters

Typical Example

https://sp.example.ac.jp/Shibboleth.sso/AttributeQuery\
  ?entityID=https%3A%2F%2Fidp.example.ac.jp%2Fidp%2Fshibboleth\
  &nameId=XXXXXXXXXXXXXXXXXXXXXXXXXXX%3D

atrributequery.py

The attributequery.py is a simple program thats executes an AttributeQuery based on eduPersonTargetedID or a pair of entityID and nameIdentifier.

The program is written by Python.

Usage

attributequery.py [options] AttributeQueryHandler eduPersonTargetedID
attributequery.py [options] AttributeQueryHandler entityID nameIdentifier

Options:
  -h, --help            show this help message and exit
  -d, --debug           turn on debug output; URL and raw JSON
  -p PROTOCOL, --protocol=PROTOCOL
                        protocolSupportEnumeration value in IdP metadata
  -f FORMAT, --format=FORMAT
                        SAML name identifier format

Typical Example

$ attributequery.py -d \
    https://sp.example.ac.jp/Shibboleth.sso/AttributeQuery \
    'https://idp.example.ac.jp/idp/shibboleth!https://sp.example.ac.jp/shibboleth!XXXXXXXXXXXXXXXXXXXXXXXXXXX='
URL: https://sp.example.ac.jp/Shibboleth.sso/AttributeQuery?entityID=https%3A%2F%2Fidp.example.ac.jp%2Fidp%2Fshibboleth&nameId=XXXXXXXXXXXXXXXXXXXXXXXXXXX%3D
JSON: {
JSON:     "persistent-id" : "https://idp.example.ac.jp/idp/shibboleth!https://sp.example.ac.jp/shibboleth!XXXXXXXXXXXXXXXXXXXXXXXXXXX="
JSON:     "unscoped-affiliation" : "member;student"
JSON: }
persistent-id=https://idp.example.ac.jp/idp/shibboleth!https://sp.example.ac.jp/shibboleth!XXXXXXXXXXXXXXXXXXXXXXXXXXX=
unscoped-affiliation=member;student