Attribute resolution fails for directAuthenticator strategy
Cantor, Scott
cantor.2 at osu.edu
Tue Dec 22 09:56:30 EST 2015
On 12/22/15, 9:51 AM, "users on behalf of Zoltan JANOTA" <users-bounces at shibboleth.net on behalf of zoltan.janota at unodc.org> wrote:
>Thanks, Scott!
>
>Any hints on how the attribute resolution could be extended to use the context which was created during the bind?
I'm pretty sure I explicitly said you can't:
>For authentication perhaps, definitely not attributes. Not even possible in general, though under very constrained conditions it could be done. But I don't believe we have ever supported that and certainly that isn't part of the resolver configuration.
You can pull back LDAP attributes during authentication and I guess if you really wanted to waste the time you could write a bunch of code in resolver scripts to pull that data out of the Java Subject during the resolution step to get them into the resolver stage. But I certainly wouldn't.
It is bad design in Shibboleth to rely on the resolver running on the front-channel. Even if that's all you need now, it won't necessarily stay that way and you're building in a trap if the back channel is ever needed. Just don't.
-- Scott
More information about the users
mailing list