Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Dev] [IdPv3] Attribute Resolver Work

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] [IdPv3] Attribute Resolver Work


Chronological Thread 
  • From: Paul Hethmon <>
  • To: Shibboleth Dev <>
  • Subject: Re: [Shib-Dev] [IdPv3] Attribute Resolver Work
  • Date: Wed, 26 May 2010 16:21:20 -0400

Sure.

A situation I'm exploring today is supporting a non-unique login ID
namespace with a single IdP. Login IDs are essentially made unique based on
the relying party the user wants to access:

joe + rp1 != joe + rp2

So, at the IdP auth layer, I can gather this information based on the
relying party info.

What I would like to do is be able to convey that information in an
attribute because sometimes I may not send the user back to the requested
relying party. Instead, this user may be required to execute a change
password which goes to another relying party site altogether. That third
party site needs to know what is the user's original relying party
information.

In essence, I'm multi-plexing distinct systems into a single system to save
the overhead of creating multiple systems.

Another use I can think of is my one relying party that wants me to muck
with their relay state information. If I can create attribute data at the
servlet level, then I can convey that information to them in a proper
attribute instead of having to munge what should be opaque data.

Overall, I seem to have a lot of information available at authentication
that could be useful, but is not easily available outside of the
authentication context.

I haven't looked at the data connector code, but from what I have looked at
inside of Shib, it seems that you could create a data connector that can
pull information out of the session store. So, inside of the authentication
servlet, it uses a method out of HttpHelper to store name/value or perhaps
name/object pairs? The new data connector would simply access that data
store when called.

Paul



On 5/26/10 4:00 PM, "Chad La Joie "
<>
wrote:

> Can you explain a bit more about what you mean? I'm not sure I understand.
>
> On 5/26/10 2:24 PM, Paul Hethmon wrote:
>> Chad,
>>
>> One new thing I would like to see is a way for the authentication servlet
>> to
>> set information for attributes. So basically a data connector to the
>> authentication servlet.
>>
>> thanks,
>>
>> Paul
>>
>>
>>




Archive powered by MHonArc 2.6.16.

Top of Page