TransformAttributeResolver adds instead of replacing values

Peter Schober peter.schober at
Wed Sep 8 09:50:00 UTC 2021

* Kimmo Koivisto <kimmo.koivisto at> [2021-09-07 20:11]:
> My use case is that our application is able to use only
> nationalIdentificationNumber attribute. Some IdP's provide social
> security number in nationalIdentificationNumber, some in
> schacPersonalUniqueID and some IdP's might provide both attributes.

Maybe using the attribute filter you could block the value of one of
the two attributes if the other has a(ny) value(s)? That would ensure
that when you later combine both attributes using a Transform or
Template that there'd be no duplicate values, I think.

Seems to me the (deprecated) Compound Matcher should be able to do this?

> I'm trying to figure out the solution for this use case but seems to
> be that I'm out of luck.

Keeping those attributes separate within the SP and simply looping
over them in application code is out of the question?

Maybe custom code called as part of a sessionHook would be able to
manipulate some application-specific session (in memory or maybe
within a database) if the application uses something like that and the
framework/language used provides the APIs for you to mess with it?


More information about the users mailing list