New attribute filter help

Cantor, Scott cantor.2 at
Fri Sep 30 18:11:32 BST 2011

On 9/30/11 11:53 AM, "Morris, Andi" <amorris at> wrote:
>For Shibboleth users, we are expecting to receive the following
>     > An attribute with a name that matches the regular expression
>(ignoring case) 
>should be some sort if ID representing the logged in user followed by

That would be a deprecated form and you shouldn't need to release that to
anybody. The SP has plenty of tools for them to use to normalize what you
send into whatever form they need, and if they're using "not Shibboleth",
that remains their responsibility.

>An attribute with a name that matches the regular
>expression".*IDP.ENTITY.*". The value should be the EntityID of the
>Identity provider.

That's not typical, and it is incorrect to use "regular expressions" to
match attribute names.

Again, any SP should provide access to the issuer of the assertion, which
is your entityID.

>Also, is there a way I can release the EntityID as an attribute?

You would need to populate it from information in the request context.

-- Scott

More information about the users mailing list