Can I query a user's employeeNumber w/o them logging in?
Peter Schober
peter.schober at univie.ac.at
Tue Feb 26 15:09:40 EST 2019
* Kelsey, Bart <Bart.Kelsey at osumc.edu> [2019-02-26 21:03]:
> Is there any way to query shibboleth for a user's attributes without
> having them log in? I need some way to connect contact information
> to OSU accounts, and the public user directory doesn't seem to have
> any kind of unique, immutable ID.
Not sure that's what you're asking but as the IDP admin you could use
the AACLI (e.g. /opt/shibboleth-idp/bin/aacli.sh by default on Unix)
to look up data by providing the netid used for logging in (-n
parameter) and the entityID of a SAML SP the desired data would be
released to (-r parameter).
Another aspect of this would be attribute queries, i.e., as the SP
you'd be using previously recieved and persisted data to query an IDP
for data about the subject. Though usually you'd only be getting the
same kind of about the subject -- or less (e.g. in case their account
is not active any more).
But I don't understand what this has to do with "unique, immutable
IDs", so YMMV.
-peter
More information about the users
mailing list