idpv3 attribute-resolver + PluginActivationConditions

Jarno Huuskonen jarno.huuskonen at
Thu Aug 27 08:25:59 EDT 2015


On Thu, Aug 27, Tom Scavo wrote:
> On Thu, Aug 27, 2015 at 7:46 AM, Jarno Huuskonen <jarno.huuskonen at> wrote:
> >
> > Is possible to use ExternalAttributePluginActivationConditions
> > (shibboleth.Conditions.RelyingPartyId)
> > (
> > with "RelyingPartyByGroup" ?
> >
> > For example if I have edugain metadata with:
> > <md:EntitiesDescriptor ... Name="" ...>
> > is it possible to match this group Name with
> > shibboleth.Conditions.RelyingPartyId in attribute-resolver ?
> >
> > And is it possible to negate ActivationConditions ?
> > (to have a condition where edugain-group gets this attribute-resolver
> > and !edugain-group(everybody else) gets something else).
> I can't answer your technical questions directly but I will try to
> steer you away from leveraging the EntitiesDescriptor/@Name XML
> attribute in the first place. First, you need to come up with a better
> example since IdPs are not supposed to be updating eduGAIN metadata
> directly. Even if you can produce a more realistic use case, IdP
> operators are advised not to leverage the EntitiesDescriptor/@Name XML
> attribute since 1) the composition of aggregates is subject to change,
> so today's policy (based on Name) is tomorrow's headache, and 2)
> per-entity metadata distribution is in our not-too-distant future, so
> IdP configurations should focus on entity characteristics, not the
> aggregate.

Ok, the edugain metadata our idp uses is specific/customized for our idp
(HAKA federation generates this metadata for us) so it's not complete
edugain aggregate metadata.
Now this metadata it only has 1 edugain SP.
So at the moment it's not a problem to use RelyingPartyId of that
specific SP.
(And at the moment I only need to use different source attribute for
displayName --> this easy to solve by creating a displayName-edugain
attribute and releasing this).

2) "entity characteristics" ? Do you have any examples for this ?
Would metadata-providers.xml <MetadataProvider id="..." be something
thats more future proof ?


Jarno Huuskonen

More information about the users mailing list