Setting up IdP3 to release set of attributes only to CAS users

Jonathan Johnson jsjohnson at
Fri Aug 14 10:29:03 EDT 2015

Thanks for the verification.

One thing to note for posterity: expect collisions if you use a regex for the policy requirement rules on CAS services. It’s very likely that something like `^https://.*\.somegreatuniversity\.edu/.*`, for instance, is going to match some SAML SPs as well. So, depending upon your rules, you could get some unexpected behavior.

Thanks again, and look forward to 3.2.


On August 14, 2015 at 08:35:15, Marvin Addison (marvin.addison at wrote:

Marvin, can you verify what version of Shibboleth you are using?

I am using a recent 3.2.0 snapshot.
I remember doing something like this a while back, but when I go to do the same in 3.1.2, the attributes are not returning.

I attempted to reproduce in 3.1.2 and confirmed the behavior you cited, and in the process recalled there was a bug for this that has been fixed for 3.2.0:

So unfortunately group-based filtering won't work in 3.1.2 as you stated. Using a regex filter like Walter suggested should suffice as an alternative until 3.2.0 is released.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list