Hi all,

I'm running into an issue that has been frustrating me for the past

Scenario: I'm trying to federate the NAM IDP with a third party SP via
SAML2 (in this instance, Shibboleth SP). I have it working quite well.
It works with SP initiated auth, as well as IDP initiated using
inter-site transfer URLs (which is what I"m currently using). When I
authenticate, I have the IDP selected to send over a set of basic
attributes that the SP needs, and that works--at first. The problem
comes if I try to re-authenticate using different contracts in the same
session. For example, I want to be able to authenticate using a
contract level 1, then allow the user to authenticate with a level 2
contract for increased access. It just so happens that my level 1
contract points to a different user store, albeit with identical
information, but with less available attributes. So, I was counting on
more user information being available when they authenticate to the
level 2 store. However, what I'm seeing is that the IDP is ONLY
releasing attributes to the SP on the first contract authentication. It
seems to me that attributes should be released every time the user
authenticates, but it's not. I did notice my SP sent a SOAP attribute
request after the assertion was received, presumably because no
attributes were in the assertion. The IDP then threw an error on the
SOAP response. But that is besides the point because I do not want to
use SOAP for this, so I have not bothered to troubleshoot that error.
The setup I'm doing requires that the IDP and SP may not necessarily be
able to directly talk to each other, so POST is my only option.

Any ideas why it's not releasing attributes on subsequent
authentications with the same session? I have worked with other IDPs
(not NAM) and have not seen this behavior, so I'm wondering if it's a
bug in my version.

- I'm currently using 3.1.3 (yes, I'm in the process of planning an
upgrade to 3.2, but I need this working on 3.1.3 for the time being).
- I have also tried about every setting I can think of, including
overwriting temp/real users in the method settings.

This could seriously make or break a project I'm working on so any help
would be appreciated!!


adamdn01's Profile: https://forums.netiq.com/member.php?userid=2226
View this thread: https://forums.netiq.com/showthread.php?t=47789