Intercept Flows and checking raw LDAP attributes

[Marvin Addison]

>
> >​This works well as long as I add the "fake" attribute to the consent
> page Blacklist. Just to be sure even though the attribute shows up in the
> log, it doesn't actually transmit because there
> > is no encoder to encode it?
>
> Not in SAML, I couldn't speak to CAS.
>

All configured attributes are released for CAS since there's no concept of
attribute encoding in that protocol. I could probably make CAS behave
similarly, but I'm somewhat ambivalent whether it makes sense. On the one
hand it's a feature that I use in my own institutional configuration to do
what I want; on the other hand there's conflict with the audit log and
actual data that appears in the outgoing assertion (as you noted). I also
found it somewhat surprising initially, but that may have been due to
ignorance as much as anything else.

M
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150804/131ac3f5/attachment.html>