Issue with large HTTP headers for ECP authentication

Cantor, Scott cantor.2 at
Wed Dec 12 09:37:34 EST 2018

On 12/12/18, 9:31 AM, "users on behalf of Daudt, Carl" <users-bounces at on behalf of crdaudt at> wrote:
> Scott, I might have mislead you and other readers to infer that the size of the shib_idp_session_ss cookie was growing
> over time.

Yes, my mistake. I definitely was thinking in those terms and trying to imagine cases that might happen.

>  (3) Then in attribute-resolver.xml, we removed the <ReturnAttributes> line in the DataConnector for LDAP.

You certainly *can*, but that will obviously cause it to return everything, which may be unnecessary. Usually it's best to enumerate what you want from it to control the "namespace" of internal attribute names floating around the resolver.

Whether it's preferred to do it inline or in a property is style, but I think properties ended up overused with the resolver, I don't personally care for the lack of locality of reference, not to mention losing reloadability.

Thanks for clarifying,
-- Scott

More information about the users mailing list