In the AM, we currently do not have access to the unfiltered attributes from the Assertion as sent by the IdP.
We do have $response["__"]["OriginalRepsonse"]["saml:AttributeStatement"] but that does not seem to contain the full unfitlered attributes. Specifically, any attributes that are not in the SP's ARP are missing.
So, make a new (readonly) variable $idpAttributes available to the manipulation script what we can use to make specific exceptions to the ARP.
usecase
In test2, we want regular IdPs to get surf-autorizations and surf-crm-id from the AA. Only for the DIY-IdP, we want some of the users to have specific values set for these attributes.
This would be doable with an AM, if we can see the values the IdP is giving.
In the AM, we currently do not have access to the unfiltered attributes from the Assertion as sent by the IdP.
We do have
$response["__"]["OriginalRepsonse"]["saml:AttributeStatement"]but that does not seem to contain the full unfitlered attributes. Specifically, any attributes that are not in the SP's ARP are missing.So, make a new (readonly) variable
$idpAttributesavailable to the manipulation script what we can use to make specific exceptions to the ARP.usecase
In test2, we want regular IdPs to get
surf-autorizationsandsurf-crm-idfrom the AA. Only for the DIY-IdP, we want some of the users to have specific values set for these attributes.This would be doable with an AM, if we can see the values the IdP is giving.