Menu
▾
▴
Re: [Unity-idm-discuss] Output translation profile is too talkative
|
From: Shiraz M. <a....@fz...> - 2017-03-20 11:47:15
|
Hi Krzysztof, In addition to Sander's concerns about release of extra (or unwanted) attributes to the relying parties, it would also be interesting to know whether unity allows preventing users from hiding the released (or about to be released) attributes on the consent screen. So, here I mean, to block the possibility for the end users to hide the "important" attributes, which we as an authentication service are committed to release as a proxy IdP. Cheers, Shiraz On Mon, Mar 20, 2017 at 10:33 AM, Sander Apweiler <sa....@fz... > wrote: > Hi Krzysztof, all, > > I'm redesigning our output translation profiles. Therefore I start with > new translation profile with small information. I want to reduce the output > for users in confirmation screen. My output translation profile (whole > profile below) has only four rules, but the confirmation screen lists eight > attributes. Some of them are not requested and not released by translation > profile. So is there a mix up with default output translation profile? If > yes, is it possible to avoid this mix up? > > Here are some information about my system: > unity 1.9.5 > > Output translation profile: > 1. condition: true > Action: createAttribute > AttributeName: urn:oid:1.2.840.113549.1.9.1 > expression: attr['mail'].toString() > 2. condition: true > Actiopn: createAttribute > attributeName: urn:oid:2.5.4.3 > expression: attr['cn'] > 3. condition: idsByType contains 'persistent' > Action: createAttribute > attributeName: unity:persistent > expression: idsByType['persistent'] > 4. condition: (requester contains 'URL') > Action: createAttribute > attribuetName: memberOf > expression: groups + ['FSD2'] > > Requested Attributes from SP are: unity:persistent, > urn:oid:1.2.840.113549.1.9.1, cn, memberOf > > confirmation screen lists: > 1. mail > 2. unity:persistent > 3. memberOf > 4. sys:FilledEnquires > 5. cn > 6. urn:oid:1.2.840.113549.1.9.1 > 7. urn:oid:2.5.4.3 > 8. o > > So first it looks like email and cn which are created in urn:oid notation > in translation profile are released with their internal names too. > Organisation Name and sys:FilledEnquires was wether released within > translation profile nor requested by SP but they are released too. Do you > know the reason for this behaviour? > > Best regards, > Sander > > -- > > Federated Systems and Data > Juelich Supercomputing Centre > > phone: +49 2461 61 8847 <02461%20618847> > fax: +49 2461 61 6656 <02461%20616656> > email: sa....@fz... > > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > Forschungszentrum Juelich GmbH > 52425 Juelich > Sitz der Gesellschaft: Juelich > Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher > Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), > Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, > Prof. Dr. Sebastian M. Schmidt > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > > -- Shiraz Memon Federated Systems and Data Jülich Supercomputing Centre (JSC) Phone: +49 2461 61 6899 Fax: +49 2461 61 6656 |
