Cantor, Scott cantor.2 at osu.edu
Fri Jan 21 20:22:03 UTC 2022

On 1/21/22, 2:55 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:

>    I'm quite sure there's no way, out of the box, to do this with Shibboleth.

That depends on one's definition I guess. For us, "must write code" doesn't mean it's not out of the box. If you don't have to modify our code and can use only supported extension points, that's what we consider to be our goal met.

> Has anyone figured out any ways to do this, though?

Aside from more aggressive injection points like replacing message decoders, inbound interceptor flows are the mechanism defined for this purpose. I've built them to process additional parameters to the IdP-initiated endpoint. The context tree is extensible in tons of ways so there are many ways to capture the information for use later.

The main downside to them is that we didn't provide a great way at this point to add an inbound interceptor without accidentally turning off the built-in one we use for SAML message processing, but that one can be added by hand alongside a custom one, it's just not as clean as I'd like.

-- Scott

More information about the users mailing list