Passing info from authentication to resolver?

[Cantor, Scott]

On 4/20/16, 5:49 PM, "users on behalf of Ian Rifkin" <users-bounces at shibboleth.net on behalf of irifkin at brandeis.edu> wrote:



>In IDPv3 is it possible to pass information from an LDAP bind on the Password authn flow?

Yes, the LDAP attributes returned by the bind should be included in the Java Subject produced, I believe.

>In the resolver I can get the $requestContext.principalName but that seems to be whatever the user typed in on the form and *not* something returned from the authenticated LDAP bind.

Well, no, it's what *you* choose to tell it to canonicalize the subject into after authentication. If you don't do anything special, then it's whatever the user enters, but that's a choice. See the SubjectCanonicalicationConfiguration topic.

There is no built-in c14n flow that would pull data back out of the LDAP response in the Subject and use that to construct the principal name, but that's certainly possible to build. It's analagous to the X.509 example that pulls data out of the certificate.

But anything you can do there can also be done in the resolver anyway, so it's just a style question, where you want the complexity.

>Is it possible for the resolver to use anything from authentication? It would be great if on authentication it could return the attribute I'm looking for, but being able to search on the dn returned (from the authenticated bind) would also do the trick.

There's nothing special about requestContext.principalName, and nothing that limits you to that piece of data in the resolver as an input. You can always go poking into the Subject to pull data out of it in the resolver if you have to. The principalName is a convenience because it addresses 99% of people's needs. The other 1% have to write Java or scripts and start getting familiar with the Java Subject API.

-- Scott