Resolving attributes from a SAML proxy

[Wessel, Keith]

Alright.

And the type of the attribute should be simple (since it's not going to be a scoped attribute)?

And the subjectDataConnector should be the input to the attribute definition?

Yes, the attribute registry is sounding better by the minute.

Keith


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Wednesday, October 6, 2021 3:01 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Resolving attributes from a SAML proxy

On 10/6/21, 3:55 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:

>    I believe you're saying that simply having it defined in the 
> attribute resolver will allow it to do a reverse lookup of the SAML2 
> attribute name in the encoder to an attribute name inside the IdP. So, do I just need the attribute definition and not the subject data connector if I'm only using it internally and not releasing it?

You need the data connector if you intend resolving attributes to produce the thing. If you just want it inside the Java Subject itself, then the definition alone is enough. I doubt that's what you really intend, so you need the connector to pull it out. You might as well just layer the attribute definition on it too.

There's a reason this is all insane, that's why the registry had to be created. Even trying to explain how to do it the other way is unintelligible.

-- Scott


--
For Consortium Member technical support, see https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!DZ3fjg!rYHPHIjvdFmtCwxgau3gAzhTQ1VmMPZHGsfyW-UaBY9k6YIQUsDrswGH6lXWf78iOw$
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net