Other SP's transient ID in attribute query

Takeshi NISHIMURA takeshi at nii.ac.jp
Tue Nov 8 02:20:20 GMT 2011

Hi Scott,

Thanks for quick response! As you described perfectly, I understand the current Shibboleth implementation and that my question had nothing to do with standards.

Thanks again,

(2011/11/08 11:06), Cantor, Scott wrote:
> On 11/7/11 8:54 PM, "Takeshi NISHIMURA"<takeshi at nii.ac.jp>  wrote:
>> From my understanding, attribute query from an SP makes use of the
>> transient ID (session ID) to retrieve attributes of the user tied with
>> the ID.
> First of all, there is nothing standards-based about the discussion,
> you're talking about Shibboleth conventions for combining unrelated
> profiles, SSO and query.
> Secondly, a Shibboleth SP will query only if no attributes are already
> given to it, and when it does it uses whatever NameID or NameIdentifier it
> finds. It has nothing to do with whether it's a transient or not.
>> I wonder if another SP can retrieve his attributes from the same IdP
>> using the same transient ID.
> Not unless you substitute an implementation for the relevant plugins that
> allows it.
>> Is this possible / allowed?
> Yes, it's possible, and we don't dictate what's allowed. That's policy.
> The plugins provided for generating transient identifiers and mappings
> don't allow it.
> -- Scott

More information about the users mailing list