Attribute Data Store

The attribute data store integrates with the IDP core software module via an attribute authority integration point. It provides a source of trusted data about users that can be used to construct SAML assertions. Any component that acts as an attribute data store is essentially a database. There are virtually no limitations on the attribute data store in terms of how it stores attributes; however, in the case of Shibboleth, it must store attributes in a fashion that allows for attribute queries based on a user ID or some other key that can be understood by the Shibboleth IDP and maps uniquely to a specific user. Typically, an organization will want to connect an IDP to an existing user attribute repository-often an LDAP repository or an Active Directory database. It is also possible to use an ODBC or SQL database, a flat file on the local machine's file system, or any other repository, via custom Java code. But these cases are rare. The most common implementation scenario involves connecting an IDP directly to a local LDAP or Active Directory server.