[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    RE: Shortcut for releasing attributes requested in metadata
From:       "Wessel, Keith" <kwessel () illinois ! edu>
Date:       2022-01-25 15:34:43
Message-ID: MN2PR11MB41918CB641B20B4F28AAF015CB5F9 () MN2PR11MB4191 ! namprd11 ! prod ! outlook ! com
[Download RAW message or body]

Thanks, Scott. I had considered doing entity attributes corresponding to each \
attribute or, when appropriate, sets of attributes. But I came down to the same \
conclusion you stated: it's really six of one, a half dozen of the other.

And thanks for confirming that I'm taking the right route here. I've got lots of \
attribute filter definitions that have built up over the past 10+ years, and it makes \
for a lengthy attribute-filter.xml.

Keith


-----Original Message-----
From: users <users-bounces@shibboleth.net> On Behalf Of Cantor, Scott
Sent: Tuesday, January 25, 2022 6:49 AM
To: Shib Users <users@shibboleth.net>
Subject: Re: Shortcut for releasing attributes requested in metadata

On 1/24/22, 10:09 PM, "users on behalf of Wessel, Keith" \
<users-bounces@shibboleth.net on behalf of kwessel@illinois.edu> wrote:

> Is there any shortcut for that? Or is that the only way to do it? I 
> can't think of a way to simply tell the IdP to release any attribute requested in \
> metadata for a given metadata source.

The policy language designed in Shibboleth V2+ doesn't allow for that, there has to \
be an AttributeRule in the policy and they have to identify the Attribute involved.

> And, for that matter, is there any reason I shouldn't take this route 
> that anyone can think of before I manage to shoot myself in the foot?

We went with EntityAttribute tags in our examples so that the GUI project would have \
a consistent approach to follow but there's ultimately not much difference in how it \
looks or works, both are essentially the same idea. Yes, you should use metadata, \
however you do it. A new filter policy should only be needed for unusual cases like \
value filtering or when adding new attributes.

-- Scott


--
For Consortium Member technical support, see \
https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!DZ3fjg!tBh7VwzpnsBCCZfUzpRrGudnjCceopyIh4p5TKhphHipOtLXUD0VvwRDvaG0-u3MCg$
 To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
-- 
For Consortium Member technical support, see \
https://shibboleth.atlassian.net/wiki/x/ZYEpPw To unsubscribe from this list send an \
email to users-unsubscribe@shibboleth.net


[prev in list] [next in list] [prev in thread] [next in thread]