Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time
Shibboleth IdP User Agent Attribute Extension
This plugin captures the user agent IP address at authentication and then 
allows that information to trigger the association of certain attributes/values
during attribute resolution time.

This plugin requires Shibboleth IdP v2.3.x

Installation/Upgrade Instructions
The following steps must be performed during the initial installation of this
plugin and at every IdP upgrade.

1. Shutdown the container running the IdP.

2. Place the ua-attribute-idp-ext JAR file, located in this bundle, in to the 
   IdP distribution's lib directory
3. Edit the web.xml file, located in the src/main/webapp/WEB-INF directory of the
   IdP distribution, as follows:
   - locate the definition for the Servlet named 'UsernamePasswordAuthHandler'
     this is found around line 100 of the default web.xml file
   - replace the value of the <servlet-class> element with:

4. Run the IdP's install script

5. Configure the attribute resolver as described below.  This step is only performed
   during initial installation.

6. Restart the container running the IdP

Configuration Instructions
The following changes to the IdP's attribute-resolver.xml configuration file 
only need to be performed the first time you install the plugin, after that they 
will carry over through upgrades.

1. Add the following namespace declaration to the root AttributeResolver element:
2. Add the following schema locations to the existing whitespace-separated list: classpath:/schema/ua-attribute-resolver.xsd
3. Define a new data connector as follows, filling in the UNIQUE_ID and Mapping
   elements (described in the following section):
   <resolver:DataConnector id="UNIQUE_ID" xsi:type="uadc:UserAgentMappedAttributes">
      <uadc:Mapping cidrBlock="...." attributeId="..." attributeValue="..." />

4. Create one attribute definition per attribute generated by the data 
   connector.  Only attributes created by attribute definitions may be
   released to a service provider.

CIDR Block -> Attribute Mappings
This plugin creates attributes by checking if the IP address of the user agent,
at the time of authentication, matches a given range of IP addresses identified
by CIDR blocks.  The Mapping element noted in step 3, in the section above,
requires, and only accepts, following XML attributes:
* cidrBlock - the CIDR block (IPv4 or IPv6) that triggers the mapping
* attributeId - the ID of the IdP attribute generated if the mapping is triggered
* attributeValue - the value added to the IdP attribute if the mapping is triggered

You can have more than one mapping rule with the same CIDR block.  This allows
you to create multiple attributes for the given CIDR block.  You can also specify
a given attribute ID more than once in order to generate multiple values
for the ID.


(Historic) User Agent attribute extension for the Shibboleth v2 IdP







No packages published