forCanonicalization and attribute resolution
cantor.2 at osu.edu
Wed Oct 28 19:35:45 UTC 2020
On 10/28/20, 2:52 PM, "users on behalf of Nate Klingenstein" <users-bounces at shibboleth.net on behalf of ndk at signet.id> wrote:
> I'm trying to take ePPN and use it both for Subject canonicalization and also encode the proxied version as an attribute.
> With a single AttributeDefinition with forCanonicalization="true", I was unable to get the value to be sent as an attribute
> as well.
The point of the option, which I will figure out how to replace with something more elegant, is to automate "where" it gets the Subject it pulls the data from. In the "c14n" case, the Subject is sitting in a staging area. In the "normal" case, it's sitting in the SubjectContext as an "official" thing. That is the logged in user. The c14n case is prior.
Boiling that into a "simple" setting and coming up with a name was difficult.
> Is my interpretation of all of this correct? If so, it's a bit confusing and counterintuitive at first, but makes sense if I think
> like code.
The Encoder isn't needed, obviously, that's handled automatically for standard attributes now, but in other respects, yes, that's what you do. If it didn't work that way, you couldn't use the EPPN only for one purpose or the other. But I am aware it is unintelligble and I will hopefully find another way to deal with it. The priority was to make proxying work and on balance it does but that's a rough spot.
More information about the users