Other SP's transient ID in attribute query
Takeshi NISHIMURA
takeshi at nii.ac.jp
Tue Nov 8 02:20:20 GMT 2011
Hi Scott,
Thanks for quick response! As you described perfectly, I understand the current Shibboleth implementation and that my question had nothing to do with standards.
Thanks again,
Takeshi
(2011/11/08 11:06), Cantor, Scott wrote:
> On 11/7/11 8:54 PM, "Takeshi NISHIMURA"<takeshi at nii.ac.jp> wrote:
>
>> From my understanding, attribute query from an SP makes use of the
>> transient ID (session ID) to retrieve attributes of the user tied with
>> the ID.
>
> First of all, there is nothing standards-based about the discussion,
> you're talking about Shibboleth conventions for combining unrelated
> profiles, SSO and query.
>
> Secondly, a Shibboleth SP will query only if no attributes are already
> given to it, and when it does it uses whatever NameID or NameIdentifier it
> finds. It has nothing to do with whether it's a transient or not.
>
>> I wonder if another SP can retrieve his attributes from the same IdP
>> using the same transient ID.
>
> Not unless you substitute an implementation for the relevant plugins that
> allows it.
>
>> Is this possible / allowed?
>
> Yes, it's possible, and we don't dictate what's allowed. That's policy.
> The plugins provided for generating transient identifiers and mappings
> don't allow it.
>
> -- Scott
More information about the users
mailing list