Skip to Content.
Sympa Menu

shibboleth-dev - attribute aggregation

Subject: Shibboleth Developers

List archive

attribute aggregation


Chronological Thread 
  • From: "Tom Scavo" <>
  • To: "Shibboleth Development" <>
  • Subject: attribute aggregation
  • Date: Tue, 28 Mar 2006 16:31:13 -0500
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=dzl8tyQKj6m2asU/dT7J77DZe8zJmdCpXNzT13+waoMmFT7pAVYo0i6N/pEsqsqJ9lsN8T7dWJWKrny3rk9q734HzYphN+7H/KQGfUtUxXIvgaJS3tethJJtkU7MTKx+RYvzDLlIiCDfwK+rCtqYuGEvuWvsMuFhwdCthI+L40c=

Suppose IdPA pushes both an authentication assertion and an attribute
assertion to the SP. Assume the NemeIdentifier is a globally unique
(persistent) principal identifier (such as ePPN or ePTID). Suppose
further that the NameQualifier attribute is set to the providerId of
IdPB. Is there any way to force an attribute query to IdPB despite the
fact that the SP has already consumed the attribute assertion from
IdPA?

If not, can we trigger the query by augmenting one of the assertions
in some way, perhaps by putting a special URI in the
AuthenticationMethod attribute of the authentication assertion (which
is needed anyway for the use case I have in mind) or by specifying a
new SAML attribute (whose value is a providerId) especially designed
for this purpose?

Thanks,
Tom



Archive powered by MHonArc 2.6.16.

Top of Page