Adding attributes to external IdP response

Cantor, Scott cantor.2 at
Tue Mar 13 16:08:30 EDT 2018

> The theory was that there was a way to configure an identity provider to pass
> requests through to the main IdP, then once a user has been authenticated,
> append extra attributes to the response before it's sent back to the application.
> We would then configure our applications to use our "proxy" IdP, leaving them
> with the "main" response plus our extra decorations. I've been told this is
> possible (possibly using the RemoteUserAuthnConfiguration flow?), but I
> haven't been able to find any indication in the documentation that this is an
> intended use of Shibboleth IdP. In case it's relevant, I'm told making any custom
> modifications to the main IdP is not an option.

There are people doing it, it just takes some resolver configuration work to suck in headers from an SP in front of the RemoteUser endpoint and republish them one by one. We have some open issues to look at design changes to make passthrough of data simpler to manipulate.

-- Scott

More information about the users mailing list