attribute resolver behavior

David Bantz dabantz at
Wed Aug 29 20:11:37 EDT 2012

Call me naive, but I presumed that resolvers would be invoked as needed by the release policy for a service.  The set of attributes needed for all SPs we support (and consequently the directory attributes needed) is much larger than the set for any one service, so the process the logs indicate - resolving all attributes defined, and then deleting all those not released to the current service - seems extravagant.  Is there a way to trigger resolution (if that's the right term) of only those attributes to be released in the current transaction with a specific SP?  Or is this inherently efficient enough that I shouldn't fret the additional overhead?

David Bantz

>> 15:55:35.095 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:274] - Specific attributes for principal [••••••••] were not requested, resolving all attributes.
>> /* Yikes, that means every single attribute definition is triggered - a whale of a lot with a lot of redundancy from two different sources. 
>> Is that 'normal' ? */
> Yes, at that stage of resolution.  You can limit what attributes are queried in the LDAP DataConnector in attribute-resolver.xml

More information about the users mailing list