Shibboleth Developers

[<>]

We are looking at prototyping a Federation Bridge to link together two federations that use a different set of attributes/profiles.  Initially we are only worried about users of Federation A using the Service Providers of Federation B.  Federation A uses the SAML Attribute Query Profile to share attributes, and uses a shared PKI for authentication.  Our idea for bridging the federations was to deploy a Shibboleth IDP that could authenticate to Federation A's PKI and would use a new data connector that implemented SAML Attribute Query to get Federation A Attributes.  Then using all the capabilities already native in the IDP transform those attributes into Federation B attributes (as much as possible of course).  This IDP would ultimately exist in both trust fabrics of course. 

 

My questions to the list are:

 

1) Is there anything blatantly flawed with this approach?

2) Any idea how hard it would be to create that data connector?  Or does anything like this exist already?

 

Thanks,
Jeff