Dynamic Custom Attribute Values

Royder, Kyle D kroyder at austin.utexas.edu
Fri Nov 16 16:40:06 EST 2012

Sorry if this is in the wiki, but I couldn't find an example.

I am working with a SP that can only look at a single attribute for their permission scheme. I'm trying to figure out the options available to me on the IdP side to facilitate this.  I'd like to attempt to keep as much of the work as possible, for looking at attribute values and making decisions, on the SP's side.

Ideally, the SP would be able to look at two attributes, one for the user's org unit and another for the user's school code and figure out the permissions on their side.

Is it possible, using the out-of-box Shibboleth IdP v2, to create a new attribute that is populated from LDAP attribute values conditionally based on other LDAP attributes for the user that is authenticating?  I know that I can create a static attribute with custom values and then create multiple release policies that can check LDAP attributes for particular values, and only permit the release of certain values from the new static attribute but this is not something I think I would like to maintain on my side.

If a user is a faculty/staff member (determined from their affiliation LDAP attribute), then the new attribute would contain the values from their org unit LDAP attribute.
If a user is a student(determined from their affiliation LDAP attribute), then the new attribute would contain values from their associated school code or "student"+schoolCode.

Thanks for any help!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20121116/86ebc5e2/attachment-0001.html 

More information about the users mailing list