My MFA script is clearing the list of requested attributes

Cantor, Scott cantor.2 at osu.edu
Fri May 26 14:04:55 EDT 2017


On 5/26/17, 1:27 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:

> I've got the following code in my MFA configuration that, when executed, seems to be clearing the list of requested attributes.
> That is to say that, after it executes, no attributes are getting returned to the SP after successful authentication. Obviously, and
> using a basis of the example shipped with the IdP, this is getting the attribute that tells which methods a user is allowed to use.

This isn't really related to the attributes that get returned to the SP. It's an "extra" resolution step to drive your logic but the IdP will still run the resolver afterward as normal. With caching of connectors, it's possible to add efficiencies, but they are separate resolution steps.

> The issue might be this line later in the script, that has a comment about cleanup:

It's related, but the real reason is that the attributes are never transferred from the AttributeResolutionContext into an AttributeContext, which is where the system looks for them later.

If you really want to do it, it is possible to preserve them, but the general intent of the example was that you would explicitly resolve one attribute needed for the rules to work, and not the whole set of connectors and attributes that normally run.

-- Scott





More information about the users mailing list