Resolving attributes from a SAML proxy

Wessel, Keith kwessel at
Wed Oct 6 20:10:46 UTC 2021


And the type of the attribute should be simple (since it's not going to be a scoped attribute)?

And the subjectDataConnector should be the input to the attribute definition?

Yes, the attribute registry is sounding better by the minute.


-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott
Sent: Wednesday, October 6, 2021 3:01 PM
To: Shib Users <users at>
Subject: Re: Resolving attributes from a SAML proxy

On 10/6/21, 3:55 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

>    I believe you're saying that simply having it defined in the 
> attribute resolver will allow it to do a reverse lookup of the SAML2 
> attribute name in the encoder to an attribute name inside the IdP. So, do I just need the attribute definition and not the subject data connector if I'm only using it internally and not releasing it?

You need the data connector if you intend resolving attributes to produce the thing. If you just want it inside the Java Subject itself, then the definition alone is enough. I doubt that's what you really intend, so you need the connector to pull it out. You might as well just layer the attribute definition on it too.

There's a reason this is all insane, that's why the registry had to be created. Even trying to explain how to do it the other way is unintelligible.

-- Scott

For Consortium Member technical support, see;!!DZ3fjg!rYHPHIjvdFmtCwxgau3gAzhTQ1VmMPZHGsfyW-UaBY9k6YIQUsDrswGH6lXWf78iOw$
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list