attributes from external auth

[Cantor, Scott]

> Reading the mailing list archives [1,2,3] it seems what we want to do is not possible. But the documentation [4] for 
> external auth outputs indicates it should be able to set the attributes. To quote:

Messages from 2014 don't have much relevance compared to actual documentation when you're talking about not even the same major release.

>    Is it true that external auth can provide attributes in v4 (was true in v2 per mailing list) as implied by the docs, source
> code, and logs? 

Yes.

>  If so, what are the possible (and preferred) mechanisms to define them and (not) filter them away? ScriptedAttribute,
> ContextDerived, Simple with a InputAttributeDefinition/InputDataConnector, or something else?

Attributes obtained during authentication are stored inside the Subject and tracked as part of the AuthenticationResult for that method. If you're trying to make use of them later or pass them out to an SP, you need the Subject DataConnector [1] to pull them out for that purpose.

I don't recall the External login method filtering attributes. Proxying via SAML does, but I didn't think External did, don't recall offhand. If it says it does or logs say it does then it does. Perhaps it does only in the case where an authenticationAuthority is supplied.

>    Our current path of investigation is using the InputDataConnector [5],

That element is used to express dependencies between connectors, it is not a connector or a definition of anything. It's a line in the graph, not a node.

-- Scott