Intercept Flows and checking raw LDAP attributes

Marvin Addison marvin.addison at
Tue Aug 4 10:42:03 EDT 2015

> >​This works well as long as I add the "fake" attribute to the consent
> page Blacklist. Just to be sure even though the attribute shows up in the
> log, it doesn't actually transmit because there
> > is no encoder to encode it?
> Not in SAML, I couldn't speak to CAS.

All configured attributes are released for CAS since there's no concept of
attribute encoding in that protocol. I could probably make CAS behave
similarly, but I'm somewhat ambivalent whether it makes sense. On the one
hand it's a feature that I use in my own institutional configuration to do
what I want; on the other hand there's conflict with the audit log and
actual data that appears in the outgoing assertion (as you noted). I also
found it somewhat surprising initially, but that may have been due to
ignorance as much as anything else.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list