alternate attribute names

Baron Fujimoto baron at
Wed Jul 11 23:16:55 EDT 2018

On Thu, Jun 28, 2018 at 01:10:01PM -0700, Greg Haverkamp wrote:
>On Thu, Jun 28, 2018 at 12:30 PM IAM David Bantz <dabantz at> wrote:
>> I found this an interesting thread. I have several times followed exactly
>> the tack suggested by Nate
>> (encode a specially constructed attribute with name and friendlyName to
>> meet special requirements of an SP).
>> So it's interesting a little concerning to read Marvin's recommendation
>> for what seems a more convoluted method
>> using activation conditions. Marvin or others, could you elaborate on why
>> this is a superior approach?
>We don't do consent, so I'm not sure where those wins are.  For me, the
>huge win is not having to worry about filtering.  Before I shifted to using
>the activation conditions, I'd create the entirely new attribute, with an
>entirely new attribute ID, and then I'd have to go write add to a filter
>policy to release that attribute.  But if some vendor comes along and wants
>uid released as an attribute named "username" instead of
>"urn:oid:0.9.2342.19200300.100.1.1", I can do that just in the resolver, in
>an existing attribute definition, without a bunch of copied boilerplate in
>two files.

I've also learned from this thread, thanks. I can see benefits to having the alternate names defined with the activation condition. A minor(?) downside I see is that when I release the attribute in the attribute filter by its AttributeDefinition ID, it also releases all other alternate named versions of the attribute as well. Or am I missing some means to limit the released attribute to just the variant intended for that relying party?

Baron Fujimoto <baron at> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

More information about the users mailing list