Passing info from authentication to resolver?

Ian Rifkin irifkin at
Wed Apr 20 17:49:26 EDT 2016


In IDPv3 is it possible to pass information from an LDAP bind on the
Password authn flow?

I have what I think is a unique situation.

Some background: Due to a circumstance I won't delve too much into, we have
a custom LDAP instance for a particular SP as a temporary measure (due to a
namespace transition). When a person binds against this custom LDAP
instance it first attempts a bind against a DB then if that fails it
attempts a regular LDAP bind. On success it returns a DN and can return one
ID number attribute.

Basically it's a way to bind with an unscoped username against two domains.
I know this is "bad" but it's what we're attempting as a temporary measure.

Problem: Due to this unique circumstance one cannot search for an unscoped
uid against the custom LDAP instance b/c in won't know which domain to

Using LDAP authen (Password authn flow) with Shib IDP v3 it gets me through
the authentication piece. It allows users to  authenticated with an
unscoped username and it does the right thing.

The problem is I then need to return (from the resolver) in the SAML
response a particular ID number associated with the bound user.

In the resolver I can get the $requestContext.principalName but that seems
to be whatever the user typed in on the form and *not* something returned
from the authenticated LDAP bind.

Is it possible for the resolver to use anything from authentication? It
would be great if on authentication it could return the attribute I'm
looking for, but being able to search on the dn returned (from the
authenticated bind) would also do the trick.

Any clues out there that might help???

Ian Rifkin '04, MS '09
Software Systems Manager
Library and Technology Services (LTS)
Brandeis University
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list