Attribute resolution fails for directAuthenticator strategy

Cantor, Scott cantor.2 at
Tue Dec 22 09:56:30 EST 2015

On 12/22/15, 9:51 AM, "users on behalf of Zoltan JANOTA" <users-bounces at on behalf of zoltan.janota at> wrote:

>Thanks, Scott!
>Any hints on how the attribute resolution could be extended to use the context which was created during the bind?

I'm pretty sure I explicitly said you can't:

>For authentication perhaps, definitely not attributes. Not even possible in general, though under very constrained conditions it could be done. But I don't believe we have ever supported that and certainly that isn't part of the resolver configuration.

You can pull back LDAP attributes during authentication and I guess if you really wanted to waste the time you could write a bunch of code in resolver scripts to pull that data out of the Java Subject during the resolution step to get them into the resolver stage. But I certainly wouldn't.

It is bad design in Shibboleth to rely on the resolver running on the front-channel. Even if that's all you need now, it won't necessarily stay that way and you're building in a trap if the back channel is ever needed. Just don't.

-- Scott

More information about the users mailing list