Attribute Filter for AttributeRequest
Rosenfeld, Waldemar (extern)
waldemar.rosenfeld.extern at gv.mpg.de
Wed Jul 4 11:24:43 EDT 2018
Hi,
I have a SP that doing an authentication (kerberos or password) and start an
attribute request with soap afterwards.
Since it only has one entityID I configured the same attribute filter for
both requests:
<AttributeFilterPolicy id="ExampleSP">
<PolicyRequirementRule xsi:type="Requester"
value="https://sp.example.com/" />
<AttributeRule attributeID="uid"
permitAny="true"/>
<AttributeRule attributeID="eduPersonPrincipalName"
permitAny="true"/>
<AttributeRule attributeID="eduPersonScopedAffiliation"
permitAny="true"/>
<AttributeRule attributeID="givenName"
permitAny="true"/>
<AttributeRule attributeID="sn"
permitAny="true"/>
<AttributeRule attributeID="mail"
permitAny="true"/>
<AttributeRule attributeID="isMemberOf" permitAny="true"/>
</AttributeFilterPolicy>
In this case, all above attributes will be sent to the SP twice, one for the
authentication and one for the attribute request.
The attribute "isMemberOf" is only needed for the attribute request and not
for the authentication part. Is there any way to permit this attribute only
for the attribute request part?
Thanks,
Waldemar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180704/eba1f83c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5959 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20180704/eba1f83c/attachment.p7s>
More information about the users
mailing list