override attribute value for given SP?

Ryan Suarez ryan.suarez at sheridancollege.ca
Tue Aug 25 20:17:33 UTC 2020 

Oh, that's actually quite elegant.  I'll give it a try.  I agree, not
ideal but these are the requirements put forward.

cheers,
Ryan

On Tue, 2020-08-25 at 20:01 +0000, Boyd, Todd M. wrote:
> While this is of course not an ideal situation, it is navigable. In
> the context of an LDAP attribute resolver, you could just define a
> new attribute that uses A's format but B's source property. If A is
> uid and B is mail or some such, it would look something like this
> (note - untested and mostly off the top of my head with a bit of
> copy/paste):
> 
> 	<AttributeDefinition xsi:type="Simple" id="uid">
> 		<InputDataConnector ref="myLDAP"
> attributeNames="sAMAccountName" />
> 		<AttributeEncoder xsi:type="SAML1String"
> name="urn:mace:dir:attribute-def:uid" encodeType="false" />
> 		<AttributeEncoder xsi:type="SAML2String"
> name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid"
> encodeType="false" />
> 	</AttributeDefinition>
> 	<AttributeDefinition xsi:type="Simple" id="uidHack">
> 		<InputDataConnector ref="myLDAP" attributeNames="mail"
> />
> 		<AttributeEncoder xsi:type="SAML1String"
> name="urn:mace:dir:attribute-def:uid" encodeType="false" />
> 		<AttributeEncoder xsi:type="SAML2String"
> name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid"
> encodeType="false" />
> 	</AttributeDefinition>
> 
> Since attribute-filter.xml relies on attribute IDs and not attribute
> names, you would release uidHack to the SP rather than uid and it
> should be none the wiser. It will receive an attribute with the uid
> name but the value that would normally be released by the mail
> attribute.
> 
> 
> -Todd
> 
> -----Original Message-----
> From: users <users-bounces at shibboleth.net> On Behalf Of Ryan Suarez
> Sent: Tuesday, August 25, 2020 1:22 PM
> To: users at shibboleth.net
> Subject: override attribute value for given SP?
> 
> CAUTION!: This email originated from outside of Columbia College.
> 
> 
> Greetings,
> 
> We are running shib IdP v3.x and have following attributes:
> 
> <Attribute name="urn:oid:x.1" id="A"/>
> <Attribute name="urn:oid:x.2" id="B"/>
> 
> For whatever reason the SP wants B but can only consume A.  They are
> asking us release A (which we are already making use of), but they
> are requesting that it's value should contain B.  Is it possible to
> override attributes per SP?
> 
> regards,
> Ryan
> 
> 
> --
> For Consortium Member technical support, see 
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to 
> users-unsubscribe at shibboleth.net

More information about the users mailing list