Refusing to send an assertion if attribute not present?

Christopher Bongaarts cab at
Wed Mar 13 14:22:31 EDT 2013

On 3/12/2013 3:49 PM, Erdos, Marlena wrote:
> I'm using external authentication, so my alternative is to check for
> presence of the attribute in the the external authN callback servlet --
> and maybe that's the place to do it, but I figured I'd ask.  (It seems
> "wasteful" to be pulling attributes from LDAP twice -- once in the
> callback and then again in the resolver.)

We do two LDAP calls (one in our custom login handler and one in the 
attribute resolver) for every auth.  Not that big a deal for our LDAP 
servers as they are exact searches for a unique identifier, which is 
nicely indexable.

%%  Christopher A. Bongaarts   %%  cab at          %%
%%  OIT - Identity Management  %%  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

More information about the users mailing list