Question regarding sending attribute from SP to IdP

Cantor, Scott cantor.2 at
Thu Jun 25 17:19:50 UTC 2020

On 6/24/20, 3:00 PM, "users on behalf of Feinstein, Moses" <users-bounces at on behalf of moses.feinstein at> wrote:

> Is there a way to send a custom attribute from Shib SP to Shib IdP for example inside authentication request or similar
> which can then be parsed by IdP and determine which ldap attribute needs to be released based on the custom value
> IdP received form the SP? 

The intended way to do that is a RequestedAttributes extension defined in 2017.

We supported that in the IdP in at least V4, I don't know if it showed up prior. Getting the SP to include something like it in a request is not simple, bordering on painful.

It's better to come up with metadata driven ways to deal with this sort of thing using AttributeConsumingService elements. You have not provided clear requirements, so it's impossible to respond other than with "I wouldn't do it".

-- Scott

More information about the users mailing list