Configuration for back channel attribute resolution (IdP v3)

Simon McLeish simon.mcleish at
Fri Oct 25 05:18:09 EDT 2019


I'm trying to eliminate deprecated configuration in an IdP as version 4
becomes closer, and I'm having trouble working out how to configure
attribute resolution so that it works for requests coming from the back

We have two IdPs and on SP involved in this, but we have limited control
over one of the IdPs and the application behind the SP, and three different
unique identifiers for users.

IdP1 uses uid1 for authentication and returns uid2 as an attribute; it has
no information about uid3. It is only usable for some users, but provides a
familiar authentication route for them.

IdP2 uses uid2 for authentication, and returns uid3 as an attribute. All
users are in the directory behind this IdP.

Access to the application is determined by the value of uid3 (the
application is configured to take the attribute value for uid3 and use it
as its local user ID). To do this, the SP uses a back channel to IdP2 to
obtain the missing attribute value for uid3 for users who have
authenticated via IdP1.

What I basically want to know is how to sort out the attribute resolution
and release in IdP2 so that there is no deprecated configuration.

1) Is there a way to do this just using the attribute resolver? Or will it
be necessary to make use c14n? At the moment, the configuration has a
PrincipalConnector element, which is the last remaining piece of deprecated
configuration, and the replacement (according to the logged warning) is
c14n, but if I can reconfigure without using it I would prefer to. After
all, I'm not really normalizing the subject, I know that's uid2 as supplied
by authentication (if IdP2 is the relying party) or as part of the
attribute request from the SP (if IdP1 is the relying party).

2) I'm looking at c14n/attribute-sourced-subject-c14n-config.xml. Do I need
to do anything to make the configuration file active in the IdP workflow?
Since I'm not actually intending to change the subject name, it's not at
all obvious how to change this file to get what I want, but the other
sample files are even less close to what I want to do.

I'm happy to share my configuration on a 1-1 basis if that will help, but I
don't really want to post it to a public list.

Thanks for any help you can give!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list