attributes from external auth

Jason Pyeron jpyeron at pdinc.us
Wed Jan 13 19:39:41 UTC 2021 

We have an identity source, which provides the unique user id and associated metadata for that user. It is "expensive" to communicate with it. Our external auth (Shibboleth Identity Provider 4.0.1) is attempting to store attributes at the same time as the principal is stored. For argument sake, let's assume it free to get the attributes at the same time as the uid, but double the cost to fetch them subsequently [6].

Reading the mailing list archives [1,2,3] it seems what we want to do is not possible. But the documentation [4] for external auth outputs indicates it should be able to set the attributes. To quote:

> Any IdPAttribute objects supplied will be processed by the AttributeFilter 
> service as "inbound" data. If at least one value in the "authnAuthorities"
> attribute is supplied, it is set as the "issuer" of the attributes for the
>  purposes of the filter evaluation.

We have increased the logging to DEBUG on net.shibboleth.idp.attribute, which resulted in the confirmation that the attributes were set, then later filtered away.

Since the attributes were not set, we stepped back and used some hard coded example (template) attribute definitions. This confirmed that our IdP was happy to provide the values to a SP.

Is it true that external auth can provide attributes in v4 (was true in v2 per mailing list) as implied by the docs, source code, and logs? 

If so, what are the possible (and preferred) mechanisms to define them and (not) filter them away? ScriptedAttribute, ContextDerived, Simple with a InputAttributeDefinition/InputDataConnector, or something else?

Our current path of investigation is using the InputDataConnector [5], but we have been unsuccessful in identifying what to put as the value for "ref" to source from the attributes returned from the shibboleth.authn.External.externalAuthnPath being used by configuration idp.authn.flows=External. We have even restarted the server in debug, stopping on ComponentInitializationException to inspect what sources are available.

It is quite likely that I am going about this all wrong.

Thoughts and suggestions requested.

Respectfully,

Jason Pyeron


1: http://shibboleth.net/pipermail/users/2014-December/018489.html
2: http://shibboleth.net/pipermail/users/2014-December/018412.html
3: http://shibboleth.net/pipermail/users/2016-August/031039.html
4: https://wiki.shibboleth.net/confluence/display/IDP4/ExternalAuthnConfiguration#ExternalAuthnConfiguration-Outputs
5: http://shibboleth.net/pipermail/users/2020-August/047909.html
6: Connection cost much greater than query cost


--
Jason Pyeron  | Architect
PD Inc        |
10 w 24th St  |
Baltimore, MD |
 
.mil: jason.j.pyeron.ctr at mail.mil
.com: jpyeron at pdinc.us
tel : 202-741-9397

More information about the users mailing list