Shibboleth Developers

[Thomas Lenggenhager <>]

> I'm 
> concerned that having a filter for values that get logged adds too much 
> complexity.  Do you have a specific use case that might require this?

I could especially see the need for attribute vales which are not taken from
a database but which are generated on the fly, like the targetedID. Where
else would you have that info available when an SP contacts an IdP and
wants to know more about the individual identified with one specific
targetedID?

Another use case could be an attribute of dynamic nature changing its value
very often. E.g. in the area of presence services where an attribute would
provide the current location of the user. There, an audit log would be the
only place you would be able to find out which value an IdP really sent to
an SP.

> > Wouldn't it be necessary to have also the Name Identifier presented to
> > the AA in the attribute release in order to know to which 
> > authentication
> > request that attribute request belongs to?
> 
> This doesn't really tie things to a specific request except in the case 
> where Shibboleth handles are being used.

That's it what I meant.

> We don't dump the SAML request in DEBUG mode, only the response.  I'd 
> be glad to add this for you, though.  Could you put this in as a 
> separate bugzilla please?

Thank you, I have added it bugzilla.

Thomas