IDP proxy - attribute

Jerry Bailie jebailie at
Fri Aug 14 16:54:44 UTC 2020

Ok, thanks for the info.

Stating a different way, the aim is to 'passthrough' an attribute from the
proxy to the SP.

For example, surname (which is released by the proxy and can be found in
the SAML).

       <AttributeFilterPolicy id="attributesfromproxy">
           <PolicyRequirementRule xsi:type="Issuer" value="
https://the_entityID_link" />
           <AttributeRule attributeID="surname">
                <PermitValueRule xsi:type="ANY" />

      <DataConnector id="passthroughAttributes" xsi:type="Subject"
exportAttributes="surname" />

Most likely need more than this, any guidance would be greatly appreciated !

- Jerry

On Wed, Aug 12, 2020 at 7:08 PM Cantor, Scott <cantor.2 at> wrote:

> >    So we know that it is being 'exported' out of the proxy.
> No, some bogus, made-up SAML Attribute that is *not* defined by eduPerson
> is being exported. eduPerson attributes in SAML 2 have names derived from
> OIDs in the form of URNs. The defined mapping rules are correct out of the
> box. Passing data that is not correct will not be processed, and the
> message reflects that.
> >    1) What should the "value" of the issuer be?
> The entityID of the IdP you're proxying to is the issuer for a rule that
> handles acceptance, it's just the inverse of a release rule.
> >    2) It's not clear how to 'map' the incoming attribute to a
> Transcoding rule.
> I wouldn't in this particular case, but the documentation on creating
> custom rules is in the wiki.
> -- Scott
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list