Shibboleth Developers

["Howard Gilbert" <>]

When the protocol ends, the ServiceProvider (Target) has
AuthenticationAssertion from the HS and a SAMLResponse from the AA.
Based on the schema (though the practice may be more specific)

The Response has 1 or more Assertions
Each Assertion has 1 or more AttributeStatements
Each Statement has 1 or more Attributes
Each Attribute has a name, namespace, and one or more Values

If the Attribute name matches an AttributeRule Name in AAP, then the
AttributeRule in AAP may also have a Header and an Alias as in

<AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName"
Header="REMOTE_USER" Alias="user">

I haven't worked out the use of the Header and Alias fields. I suspect that
they might be used to generate a friendly name for the attribute across the
program API, but there was no code that attached them during the AAP apply()
processing.

Anyway, I need an API to present to some Java application after Shibboleth
has done all its processing. Assume I have put all this stuff together. What
attribute name does the application use?

A wild guess is that he could use the alias, because I haven't found any
other use for the lookup(alias) method in AAP that returns an AttributeRule
based on its alias string. While this use doesn't have anything to do with
Acceptance Policy, it has the obvious benefit that AAP already has to have a
table of all the attributes and there is no sense creating a second table to
give aliases just because of a program aesthetic that the Alias doesn't have
anything to do with Acceptance Policy decisions.

Of course, the program could just ask for the raw URN form of the attribute,
or get the list of all raw attribute names and values.

Or is there a third alterative?