Don't use attribute release (or even worse, NameID manipulation) to do authz for services that are broken. If you want to deny access, just do that (context-check interceptor flow). And file a bug with the vendor since that's a broken application. -- Scott