My MFA script is clearing the list of requested attributes

Wessel, Keith kwessel at
Sat May 27 18:54:20 EDT 2017

Hmmmm... In that case, I think I have a problem. Doubt it's a bug since I'm basically using this snippet of code from the shipped example.

To clarify, no, I'm not resolving all requested attributes. Sorry, I was confused on what the getRequestedIdPAttributeNames method returned. If it returns an empty collection, I'm only adding my single attribute to it with code just like in the sample.

But I've moved the segment of code that I included at the beginning of this thread around in my script. If it's inside an if block that doesn't get executed because the condition isn't met, I get attributes back just fine. If I put it higher up in the MFA script before that if block, or if I meet the condition of the if statement, no attributes are returned to my SP after authentication..

And, as you said, this shouldn't be happening.

What logging categories might I turn up to tell me why this is happening?


-----Original Message-----
From: users [mailto:users-bounces at] On Behalf Of Cantor, Scott
Sent: Saturday, May 27, 2017 11:29 AM
To: Shib Users <users at>
Subject: Re: My MFA script is clearing the list of requested attributes

On 5/26/17, 2:44 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

> Thanks, Scott. But I'm still a bit foggy on this.So because I'm resolving all attributes from the request in the script, they're not
> being later resolved?

The resolution in the script shouldn't have any impact on the resolution that normally happens. I haven't received any reports of any undesirable interactions there, but it's possible that if the AttributeResolutionContext isn't removed (as the example does) there's something I haven't considered.

> From what you said, the later resolution should be unphased by my script even though I'm unnecessarily resolving everything.

I didn't know you were resolving "everything" but no, that shouldn't cause any problem.

> And if I do just want to resolve the single attribute, can you point me to a code snippet to accomplish that? I assume I still
> initialize an attribute resolution context and set the principal, but my call to resCtx.getRequestedIdPAttributeNames() would
> need to change. I assume I need to initialize a blank collection of attribute names that I can then call add or set on.

There's already an empty collection created, you just do:


(That's taken from the example.)

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list