Setting up IdP3 to release set of attributes only to CAS users

Cantor, Scott cantor.2 at
Thu Aug 13 13:15:34 EDT 2015

On 8/13/15, 1:04 PM, "users on behalf of Rod Widdowson" <users-bounces at on behalf of rdw at> wrote:

>> To clarify a little more since there’s different ways to use CAS with
>> we’re using the embedded CAS protocol in Shibboleth IdP3 and want to
>> release a set of attributes to everyone that logs in using CAS protocol.
>It sounds like you need to use the activationConditions on the attribute
>resolvers.  I don't think that there is a pre-defines predicate available,
>but Marvin will have suggestions about where to look and you do have the
>scriptedCondition in your toolkit.
>Or Marvin will tell me that I've barked up the wrong tree.

IIRC, when things are set up as they were directed to be right now, the location of the CAS client will end up being usable in an attribute filter policy rule to control attribute release.

It's TBD to allow use of SAML metadata to indirect that relationship (i.e. identify the CAS RP symbolically across potentially many CAS client URLs).

It's not really about identifying that CAS is being used here, but about how the CAS support is integrated with the relying party machinery in the IdP and how it identifies the RP in that profile.

-- Scott

More information about the users mailing list