+For the time being, the "normal" metadata used for SAML 2.0 IdPs is sufficient to drive the filtering engine. Moonshot-specific metadata may be defined in the future.
+
+### Attribute Configuration
+
+The SP's three attribute subsystems are all usable with Moonshot.
+
+[[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeExtractor]]
+
+[[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeFilter]]
+
+[[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeResolver]]
+
+SAML assertions are automatically identified by mech_eap and passed in for processing, using the same XML-based extractor plugin that is familiar to Shibboleth deployers, configured via the "attribute-map.xml" file.
+
+This same file format has been extended to support direct extraction of GSS naming extension attributes via a new "GSS" extractor plugin. To make this plugin available, it must be loaded:
+
+ <OutOfProcess logger="shibd.logger">
+ <Extensions>
+ <Library path="plugins.so" fatal="true"/>
+ </Extensions>
+ </OutOfProcess>
+
+Within the "attribute-map.xml" file, you can create mappings for GSS extensions as follows:
+
+ <GSSAPIAttribute name="urn:ietf:params:gss-eap:radius-avp urn:x-radius:1" id="radius-1"/>
+
+The "name" matches the naming extensions's identifier and the "id", as usual, is a local name for the attribute that may be more convenient for application use. You can also map multiple SAML or GSS attributes to the same local "id" to collapse multiple attribute types into one canonical form.
+
+Other XML attributes defined for the <GSSAPIAttribute> element:
+
+* authenticated="true|false" - allows processing to proceed only if the GSS attribute is authenticated
+* binary="true|false" - treats the GSS attribute as binary-valued
+
+### Daemon Use
+
+To move processing (and significant startup cost) outside of the GSS server process, you can patch mech_eap as follows:
+
+ --- a/moonshot/mech_eap/util_shib.cpp
+ +++ b/moonshot/mech_eap/util_shib.cpp
+ @@ -417,8 +417,7 @@ gss_eap_shib_attr_provider::initWithJsonObject(const gss_eap
+ bool
+ gss_eap_shib_attr_provider::init(void)
+ {
+ - if (SPConfig::getConfig().getFeatures() == 0 &&
+ - ShibbolethResolver::init() == false)
+ + if (ShibbolethResolver::init(SPConfig::InProcess) == false)
+ return false;
+
+ gss_eap_attr_ctx::registerProvider(ATTR_TYPE_LOCAL, createAttrContext);
+
+The shibresolver library also has to be loaded as an extension (exact path and filename vary by platform):
+
+ <OutOfProcess logger="shibd.logger">
+ <Extensions>
+ <Library path="plugins.so" fatal="true"/>
+ <Library path="/usr/lib/libshibresolver.so" fatal="true"/>
+ </Extensions>
+ </OutOfProcess>