Attribute Filter for AttributeRequest

Rod Widdowson rdw at
Wed Jul 4 11:28:41 EDT 2018

I suspect that you could dig into the ProfileRequestContext to get the profile being run and fire that up with a PredicateFilter.




From: users [mailto:users-bounces at] On Behalf Of Rosenfeld, Waldemar (extern)
Sent: 04 July 2018 16:25
To: users at
Subject: Attribute Filter for AttributeRequest




I have a SP that doing an authentication (kerberos or password) and start an attribute request with soap afterwards. 

Since it only has one entityID I configured the same attribute filter for both requests:

<AttributeFilterPolicy id="ExampleSP">

        <PolicyRequirementRule xsi:type="Requester" value="" />

        <AttributeRule attributeID="uid"                    permitAny="true"/>

        <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true"/>

        <AttributeRule attributeID="eduPersonScopedAffiliation"              permitAny="true"/>

        <AttributeRule attributeID="givenName"              permitAny="true"/>

        <AttributeRule attributeID="sn"                     permitAny="true"/>

        <AttributeRule attributeID="mail"                   permitAny="true"/>

        <AttributeRule attributeID="isMemberOf" permitAny="true"/>



In this case, all above attributes will be sent to the SP twice, one for the authentication and one for the attribute request. 

The attribute “isMemberOf” is only needed for the attribute request and not for the authentication part. Is there any way to permit
this attribute only for the attribute request part?





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list