Re: How to retrieve SP required attributes at the IDP before authentication (Paul Hethmon)

[Dierick Bart]

No; in my loginhandler I just need to know wich attributes the Service Provider needs. What I'm going to do is:

 

1) the Service Provider forwards to the IDP

2) the IDP chooses my loginhandler

3) my loginhandler creates and shows a servlet. That servlet ask for authentication AND it shows which attributes the Service Provider needs. So the loginhandler got to know the required attributes.

4) the user authenticates AND provides the required attributes as viewed in the servlet

5) the authentication is completed, the attributes are PUSHED to the Service Provider.

 

 

So the loginhandler needs the info about the required attributes so that the user can provide these attributes.

 

So you suggest and says that this (is only) possible with the metadata of the SP?

 

Greetings

[Paul Hethmon]

There are 2 places I know of that can give a list of SP required/requested attributes:

1. The SP metadata itself can list them. However, that does not mean the SP will get them.

2. The Shibboleth configuration of attributes (attribute-resolver.xml and attribute-filter.xml). This controls what is released.

You don't have access to #2 unless you are going to parse out all of that configuration yourself. You would have access to #1.

You would need to create a custom attribute resolver to store those attributes the user provides until Shib calls it post-authentication. In doing this I also created my own Principal class that has the data storage for my attributes. My resolver checks the class type and does the right thing.

Paul

-- To unsubscribe from this list send an email to dev-uns...@shibboleth.net