Question regarding sending attribute from SP to IdP
Cantor, Scott
cantor.2 at osu.edu
Thu Jun 25 17:19:50 UTC 2020
On 6/24/20, 3:00 PM, "users on behalf of Feinstein, Moses" <users-bounces at shibboleth.net on behalf of moses.feinstein at touro.edu> wrote:
> Is there a way to send a custom attribute from Shib SP to Shib IdP for example inside authentication request or similar
> which can then be parsed by IdP and determine which ldap attribute needs to be released based on the custom value
> IdP received form the SP?
The intended way to do that is a RequestedAttributes extension defined in 2017.
http://docs.oasis-open.org/security/saml-protoc-req-attr-req/v1.0/cs01/saml-protoc-req-attr-req-v1.0-cs01.pdf
We supported that in the IdP in at least V4, I don't know if it showed up prior. Getting the SP to include something like it in a request is not simple, bordering on painful.
It's better to come up with metadata driven ways to deal with this sort of thing using AttributeConsumingService elements. You have not provided clear requirements, so it's impossible to respond other than with "I wouldn't do it".
-- Scott
More information about the users
mailing list