[QUESTION] Attribute Release Policies through XACML

[kranidiotis]

Question We have a case that in a multivalue attribute (i.e. eduPersonEntitlements) with values x,y,z we want SP A to be able to get x,y values only and SP B to be able to get value y,z only

In Shibboleth this can be managed through Idp Attribute Release Policies https://wiki.shibboleth.net/confluence/display/SHIB/IdPARPConfig

where you can define not only which attributes should be released to the SP's but also which values of the attributes could be released.

In WSO2 we are able to define requested claims for each provider but we can't (at least in a straight forward way or at all?) define specific values of a claim to be or not be released in an SP. Is there a way to define such behaviour over XACML?

Environment information

• Product version: [IS 5.10.0, IS 5.9.0]

[emswbandara]

We can use adaptive authentication feature for this [1] where you can implement custom use-cases such as above using the inbuilt JavaScript editor. In the script editor you can access the user-attributes using the following function inside the script editor. context.currentKnownSubject.localClaims['http://wso2.org/claims/username'] then based on the service provider name available in the context.serviceProviderName, you can set change value for this claim

[1] https://is.docs.wso2.com/en/5.9.0/learn/adaptive-authentication/

[ruwanta]

hi @kranidiotis , It would be better to use other channels for questions or seeking help. Better keep git issue tracking for bug report or feature requests.

e.g. Slack User channel https://wso2is.slack.com/archives/CDWPC5MUL