Shibcas external authentication attributes

Cantor, Scott cantor.2 at
Wed May 1 09:52:34 EDT 2019

On 5/1/19, 12:22 AM, "users on behalf of jramsay at" <users-bounces at on behalf of jramsay at> wrote:

> I am wondering if it is possible to use any of the attributes returned by
> the Shibcas servlet post login by the Shibboleth IdP (3.4.3). 

The current (V3) mechanism for passing data in from an External authentication servlet is by stuffing each datum into an IdPAttribute object wrapped in an IdPAttributePrincipal object and then attaching those principals to the Subject established by the servlet's use of the ExternalAuthentication API. If it's changed to do that, then it's possible, if not, it's not.

> So far, I looked at the items under the IDP_HOME/conf/c14n directory which
> seemed to deal with the subject/principal which I don't intend to change so,
> I'm a bit lost.

There are two use cases for c14n:

- establishing a canonical principal name string as the result of authentication
- decoding a SAML NameID in a SAML request back into a canonical principal name

Your question has nothing to do with either of those.

-- Scott

More information about the users mailing list