Encoding attributes with multiple encoders

David Langenberg davel at uchicago.edu
Sun Aug 9 17:22:59 EDT 2015


On Sun, Aug 9, 2015 at 12:33 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:

> On 8/9/15, 10:50 AM, "users on behalf of Rod Widdowson" <
> users-bounces at shibboleth.net on behalf of rdw at steadingsoftware.com> wrote:
>
>
>
> >> it seems to release only the final encoded attribute.
> >
> >From reading the code I would have expected to see the first. But I’ll
> confirm that that is what the AddAttributeStatementToAssertion actions do
> (each IdPAttribute gets encoded by a maximum of one encoder).
> >
> >I'd defer to Scott as to whether that is correct, although lack of
> backwards compatibility has always got to be treated with suspicion.
>
> It sounds like a bug, although in practice most cases where this was being
> done were actually suboptimal. Usually the goal was to encode it
> differently for a different RP, and so attaching a condition to the encoder
> might be the better choice here, but I don't think it was intentional that
> the behavior changed, no.
>

IDP-785 for your debugging pleasure then.  You're right, this is exactly
being done due to some RP insisting that the attribute be encoded their
way.  What really frosts my cake about this particular RP is they're
running Shibboleth as their SP.

Dave

-- 
David Langenberg
Identity & Access Management Architect
The University of Chicago
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150809/9b899fc7/attachment.html>


More information about the users mailing list