Resolving attributes from a SAML proxy

Wessel, Keith kwessel at
Wed Oct 6 19:03:52 UTC 2021

Hi, all,

I'm chasing my tail here, and to make things more complicated, this page either seems broken or implete:

The reference section is empty.

I'm trying to get an attribute, not the subject, back from a SAML proxy. I've still got the setup from IdP 4.0 for retrieving the subject. I still need to update that. But that's working fine and mapping the uid to the subject. Now, I want to retrieve an additional attribute from the upstream IdP, and it's not one currently defined in my attribute resolver. It's a Microsoft-esque attribute.

I know I can pull the attributes back using the subjectDataConnector. I see I can supply a list of attributes to retrieve. Should those be friendly names or SAML2 attribute names in that list? I'm referring to the exportAttributes attribute to this data connector element.

I also see that I need to add the attribute to my attribute filter config to allow the ADFS IdP to assert it.

DO I also need to add an attribute definition so that I can use the attribute elsewhere in the IdP, resolving it and doing things like... oh, I don't know... deciding if the upstread IdP performed MFA so I can release the right ACR value?


More information about the users mailing list