The SP - provided the acl allows ist - then would make an attribute query to the given Identity Provider and return the attributes (similar format like for the Session handler) or an error message.
Such a handler would allow to easier check whether a user still has an account (orphan checking) at an Identity Provider and it also would provide a useful mean to update a user's data without any interaction by the user himself.
Using the resolvertest currently is not a suitable option because it is very slow (>10s per request beacause it loads the whole config) and because it probably was not meant for this job.
Environment
None
Activity
Show:
Lukas Hämmerle August 17, 2016 at 2:58 PM
Ok, thanks. That was the missing piece I extended the doc by a few examples and added the info on the InProcess element because there one also needs to load the plugins-lite.so apparently.
Scott Cantor August 17, 2016 at 12:48 PM
It's in plugins.so, you have to load the extension library, like ADFS.
I would never add this to the default file, it's just a niche feature. And it's quite risky to use, with no security implemented.
Lukas Hämmerle August 17, 2016 at 6:22 AM
Thanks for the prompt reaction. But I think it does not work as documented (or I just don't get it yet).
Also I think the "acl" attribute is missing in the documentation. And ideally the handler also would be added to shibboleth2.xml.dist in future versions.
Scott Cantor August 16, 2016 at 5:17 PM
Basic docs added.
It's a bit of a weird thing, I'm not sure it's very clear how to explain what it's doing. In practice it's doing queries but in actual fact it's more abstract than that.
Scott Cantor August 16, 2016 at 1:51 PM
I didn't get around to documenting it, I'll have to try and do it when I have time.
Fixed
Pinned fields
Click on the next to a field label to start pinning.
This is a proposal to add a handler like this in Shibboleth:
<Handler type="AttributeQuery" Location="/AttributeQuery" acl="127.0.0.1"/>
This handler could be accessed using more or less the same parameters as the arguments of the resolvertest binary. E.g. /Shibboleth.sso/AttributeQuery?nameId=1234asdd&entityId=https://example.org/idp/shibboleth&protocol=SAML2&nameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
The SP - provided the acl allows ist - then would make an attribute query to the given Identity Provider and return the attributes (similar format like for the Session handler) or an error message.
Such a handler would allow to easier check whether a user still has an account (orphan checking) at an Identity Provider and it also would provide a useful mean to update a user's data without any interaction by the user himself.
Using the resolvertest currently is not a suitable option because it is very slow (>10s per request beacause it loads the whole config) and because it probably was not meant for this job.