I have different SPs that use my IDP Shibboleth, but for each of them I want to send different attributes in the SAML response.
Is there a way to achieve this?
Maybe use different attribute-resolver files, or maybe the same one but with some configuration on the AttributeDefinition
that I can set so that shibboleth knows what values to resolve?
I haven't found anything regarding this on their wiki.
I would suggest you look into the topic of attribute mapping. With this, you can define filters on your Service Providers. Collect all attributes you need for all SPs on your IDP and then filter the ones you need on your Service Provider.
Example: SP 1 needs an attribute called email_1
and SP 2 needs email_2
.
Then your attribute-resolver.xml
might look something like this:
<AttributeDefinition xsi:type="Simple" id="email_1">
<InputDataConnector ref="myDB" attributeNames="email_1"/>
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid"/>
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="email_1" encodeType="false"/>
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="email_2">
<InputDataConnector ref="myDB" attributeNames="email_2"/>
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid2"/>
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.4" friendlyName="email_2" encodeType="false"/>
</AttributeDefinition>
<DataConnector id="myDB" xsi:type="RelationalDatabase">
<SimpleManagedConnection jdbcDriver="com.mysql.jdbc.Driver"
jdbcURL="jdbc:mysql://localhost:3306/login"
jdbcUserName="bla"
jdbcPassword="blabla"/>
<QueryTemplate>
<![CDATA[
SELECT
mail_1,
mail_2
FROM login
WHERE
mail_1 = '$resolutionContext.principal'
]]>
</QueryTemplate>
<Column columnName="mail_1" attributeID="mail_1"/>
<Column columnName="mail_2" attributeID="mail_2"/>
</DataConnector>
Then, on your Service Provider 1 in attribute-map.xml
, you filter out only the attribute you need:
<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail_1" />
<Attribute name="urn:mace:dir:attribute-def:uid" id="mail_1" />
So when the SP1 receives both mail_1
and mail_2
attributes, mail_2
will be rejected because it's not in your attribute-map.xml
file.