Attribute Filter for AttributeRequest
Rod Widdowson
rdw at steadingsoftware.com
Wed Jul 4 11:28:41 EDT 2018
I suspect that you could dig into the ProfileRequestContext to get the profile being run and fire that up with a PredicateFilter.
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Rosenfeld, Waldemar (extern)
Sent: 04 July 2018 16:25
To: users at shibboleth.net
Subject: Attribute Filter for AttributeRequest
Hi,
I have a SP that doing an authentication (kerberos or password) and start an attribute request with soap afterwards.
Since it only has one entityID I configured the same attribute filter for both requests:
<AttributeFilterPolicy id="ExampleSP">
<PolicyRequirementRule xsi:type="Requester" value="https://sp.example.com/" />
<AttributeRule attributeID="uid" permitAny="true"/>
<AttributeRule attributeID="eduPersonPrincipalName" permitAny="true"/>
<AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true"/>
<AttributeRule attributeID="givenName" permitAny="true"/>
<AttributeRule attributeID="sn" permitAny="true"/>
<AttributeRule attributeID="mail" permitAny="true"/>
<AttributeRule attributeID="isMemberOf" permitAny="true"/>
</AttributeFilterPolicy>
In this case, all above attributes will be sent to the SP twice, one for the authentication and one for the attribute request.
The attribute “isMemberOf” is only needed for the attribute request and not for the authentication part. Is there any way to permit
this attribute only for the attribute request part?
Thanks,
Waldemar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180704/7d24884a/attachment.html>
More information about the users
mailing list