Resolving attributes from a SAML proxy

Wessel, Keith kwessel at illinois.edu
Wed Oct 6 19:55:18 UTC 2021


Sorry, I was intending to include the encoder. I realize that's the only way to get it to associate the SAML2 attribute name with what I'm calling it inside the IdP. I should have stated that part.

I don't need to release it from my IdP, just receive it. But I'm still unclear about the attribute definition: what should the type be, and should it have an input data connector?

I believe you're saying that simply having it defined in the attribute resolver will allow it to do a reverse lookup of the SAML2 attribute name in the encoder to an attribute name inside the IdP. So, do I just need the attribute definition and not the subject data connector if I'm only using it internally and not releasing it?

Keith


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Wednesday, October 6, 2021 2:50 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Resolving attributes from a SAML proxy

On 10/6/21, 3:45 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:

> And it sounds like it'd be simpler to just do that for the one 
> attribute Im trying to add. If I did still want to define it in the attribute resolver instead, that would work, too, correct?

Yes (for upgraded IdPs). New installs do not load the resolver file into the registry so it doesn't see or generate rules based on AttributeEncoders.

> Would I just make it of type "simple" and list my subject data 
> connector as the input data connector for the attribute definition?

You can, but the purpose isn't to get it to "produce" the Attribute, it's to attach the AttributeEncoder so that the id and the claim name are connected. If you don't put the AttributeEncoder there, it won't work, and in turn it will generate a SAML Attribute by that name on the wire on the way out if it releases that also.

-- Scott


--
For Consortium Member technical support, see https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!DZ3fjg!p1njF55i73yOXen9AoxNWrmx9Ta1wDZt_vbRAKxUvKW35PNbdYFOsUWjVKPv_lh2iw$
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net


More information about the users mailing list