Does mod_shib ever do AttributeQueries?
kwessel at illinois.edu
Tue Apr 15 12:36:58 EDT 2014
We're looking at getting rid of the artifact resolution and attribute query endpoints on our IDP. It was something that interested me before last week, and now I have a good reason to put time into it.
I've looked at our access logs for the past month, and I see only 33 accesses to attribute query endpoints, all from on-campus SPs. I'm pretty sure all of these SPs are using mod_shib under Apache, and the number of attribute queries ranges from 1 to 15 per SP. So, not a lot at all considering a couple of these SPs do several thousand authentication requests a day.
Problem is I can't explain why they're doing attribute queries at all, nor can the admins of the servers. Does mod_shib ever generate an attribute query to the IDP under the hood? If so, under what circumstances? Just trying to figure out if we'll break anything by turning this off.
More information about the users