Adding attributes to external IdP response

Richard Abdill rabdill at
Tue Mar 13 15:24:02 EDT 2018

Hi all. I'm trying to unravel a weird use case and could use a hand. My
team supports applications that connect (via various service providers) to
an identity provider run by our university. The basic problem is that the
user data being returned from the university's system doesn't incorporate
information specific to our organization: attaching details about internal
groups a person is a part of, for example.

The theory was that there was a way to configure an identity provider to
pass requests through to the main IdP, then once a user has been
authenticated, append extra attributes to the response before it's sent
back to the application. We would then configure our applications to use
our "proxy" IdP, leaving them with the "main" response plus our extra
decorations. I've been told this is possible (possibly using
the RemoteUserAuthnConfiguration flow?), but I haven't been able to find
any indication in the documentation that this is an intended use of
Shibboleth IdP. In case it's relevant, I'm told making any custom
modifications to the main IdP is not an option.

Has anyone given this a try? This is personally my first real foray into
this arena, and I can't tell if "special information attached to some
requests but not others" is a logical use of federated identity management
or an egregious violation of it. Thanks for your time.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list