Other SP's transient ID in attribute query

Cantor, Scott cantor.2 at osu.edu
Tue Nov 8 02:06:17 GMT 2011

On 11/7/11 8:54 PM, "Takeshi NISHIMURA" <takeshi at nii.ac.jp> wrote:

>From my understanding, attribute query from an SP makes use of the
>transient ID (session ID) to retrieve attributes of the user tied with
>the ID.

First of all, there is nothing standards-based about the discussion,
you're talking about Shibboleth conventions for combining unrelated
profiles, SSO and query.

Secondly, a Shibboleth SP will query only if no attributes are already
given to it, and when it does it uses whatever NameID or NameIdentifier it
finds. It has nothing to do with whether it's a transient or not.

>I wonder if another SP can retrieve his attributes from the same IdP
>using the same transient ID.

Not unless you substitute an implementation for the relevant plugins that
allows it.

>Is this possible / allowed?

Yes, it's possible, and we don't dictate what's allowed. That's policy.
The plugins provided for generating transient identifiers and mappings
don't allow it.

-- Scott

More information about the users mailing list