Different SAML response for different SPs
Christopher Bongaarts
cab at umn.edu
Fri Jun 7 11:44:10 EDT 2013
On 6/7/2013 9:06 AM, kotesh201 wrote:
> I need to validate authentication request and send different attributes and
> the SAML response based on the new AttributeVersion tag.
>
> With standard Shibboleth implementation, is it possible to send different
> responses to different SPs ?
Just to clarify one thing from Kevin's response:
In the IdP, you would not typically base your attribute filter on an
extension tag like AttributeVersion (though it might be possible);
instead, you would use the entityID of the requesting SP to select
between them. e.g.
<AttributeFilterPolicy id="sp-one">
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
value="https://sp-one.example.org" />
<AttributeRule attributeID="attribute1">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
<AttributeFilterPolicy id="sp-two">
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
value="https://sp-two.example.org" />
<AttributeRule attributeID="attribute2">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
--
%% Christopher A. Bongaarts %% cab at umn.edu %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
More information about the users
mailing list