...
protocol- A protocol identifier used for logging purposes, and to acquire metadata for the
issuer.
- A protocol identifier used for logging purposes, and to acquire metadata for the
issuer- (optional) An entityID or similar unique identifier for the authentication source. Used If present, used to look up metadata, when available. If not, no issuer is associated with the session.
address- The client's IP address.
...
| Warning |
|---|
A requirement of using the form post option is that the attribute names used MUST correspond to attribute IDs specified in the attribute-map.xml file or other attribute extractor plugins. This is to ensure that the SP defends against header spoofing properly, because it relies on those plugins to self-identify the possible set of attribute names to protect. Simply put, don't invent new attribute names to populate; use existing attribute names that are already in use for SAML-based sessions, creating new mappings if necessary. |
Attributes placed into the ExternalAuth POST will be subjected to attribute policy as defined in the attribute-policy.xml file. This could be particularly significant if you define an attribute whose policy enforcement rests upon metadata properties. For example, any scoped attribute (such as eppn or affiliation) may incorporate the ScopingRules rule, which is predicated on a metadata definition of scope, referenced by the issuer's entityID. In this case you may need to adjust policy to accomodate arbitrary scope on these attributes.
Output Format
If an error occurs, the SP handler will return an HTTP error status, typically 500, but in any case, not 200.
...