Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Dev] Obtaining user attributes from a web form at the time of authentication

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] Obtaining user attributes from a web form at the time of authentication


Chronological Thread 
  • From: "Dharam Veer" <>
  • To:
  • Cc:
  • Subject: Re: [Shib-Dev] Obtaining user attributes from a web form at the time of authentication
  • Date: Sun, 26 Oct 2008 21:53:58 -0500
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=bCKrIxsSXyNrLNinjnTDFLEJfmcx2IDvYaako9UO4QmzhFvjlXCTNBbgOx64bA4w8w NY2TMPhn92P27Ojhi27f473/8hrpxmq53uVT6fJdCxYWct/2Dm1rdfuXB6UP2cTRLDkt ILzrdSPTYHANGUzt4fKY25WPTZ9jdHYdkWZ3Q=
Thanks Scott.

I tried putting them in a form of cache and then retrieved from the DataConnector, it worked but do not like it. Would have preferred mechanism similar to the AuthenticationEngine for attribute retrieval also.

Basically I want to achieve a system similar to openid simple registration protocol. As I read more in SAML 2.0 (and Shibboleth implementation) attribute retrieval is more of a back channel operation. This brings me up to the second question:

In Shibboleth AttributeQueryProfileHandler implementation the binding that is specified is a SOAP binding in handler.xml. I already know that as of its current implementation I can not use httpredirect-post binding but is there any limitation (from specifications point of view) regarding the binding you use for a profile (AttributeQuery in my case for example). If no limitation then I may go ahead and do http-redirect/post binding for AttributeQuery as extension to excellent Shibboleth framework.

In brief, I want user to submit the attributes using a web form at the time of authentication. Doing this help me obtaining the user's consent as well.

I have looked at some Liberty specifications (ID-WSF, Interaction service etc) but IMHO too complex to achieve simple things.

Would really appreciate your opinion, time and help on this matter.

Regards & thanks again
Dharam

On Sun, Oct 26, 2008 at 3:50 PM, Scott Cantor <> wrote:
> I have been able to understand how to write a custom login handler for
> Shibboleth (with lot of hiccups in getting xsd and configuration right :))
> and now I am onto the attributes part. As I understood from the
> documentation DataConnectors are used to retrieve data from different
> sources but in my case user attributes are to be submitted by user using a
> web form i.e they are stored in some respository.

In general, you would have to do that ahead time, store them, and then
retrieve them from the database.

> Do I have to write a DataConnector to do it ? I looked in the code how
> AttributeResolver is working and could not find a way to write a
> dataconnector which is capable of redirecting to a web page to collect
> attributes etc ?

There isn't. A connector has to handle both push and pull scenarios, and a
query wouldn't permit user interaction. That's aside from all the other
problems that might come up trying to do this.

I suppose eventually it may be useful to offer options for connectors that
just wouldn't support pull/query, but I don't think that option exists now.

-- Scott



Archive powered by MHonArc 2.6.16.

Top of Page