I am not sure if I am right or wrong, but I found something interesting.
I have an IDP that connects to LDAP for authentication. It also passes some attributes to the SP identifying the user. I have set up a Map in the security context and have correcly debugged my Attributemanager to see that it does correctly get the attributes from my LDAP.
Whwn I connect to my SP, it does everything correctly, authenticates me, and authorizes me into the application, but I do not see my attributes passed to the SP form the IDP. It appears that the response to the SP is sent back from the IDP before the attributes are retrieved from my LDAP. If I run the SAML2AuthenticationHandler in debug mode, and slowly step through the code, letting the original request expire, and a "Reissue request" is sent to IDP from SP, then my attributes appear.
Thanks! - Shane
Little more information...
When I submit my auth request and get a response back from the IDP, it does not contain the attribute I am sending (employee number, mail) but does contain my list of roles. If I refresh my browser , thus resending the request before the Assertion expires (in less than 60 seconds), the attributes are still not sent. However, if I refresh my browser (resending the request) after the Assertion expires (after 60 seconds), I get an error from the SPPostFormAuthenticator that says, "Assertion has expired. Asking IDP for reissue", and the response from the IDP contains my attributes and my roles.
Any ideas on this??
One thing I have noticed...
In my logs, I see that the IDPAuthentication handler always send the RESPONSE before the attribute manager has been invoked. That is why the attributes do not get sent with the first response. If I hit REFRESH on the browser, the browser just resends the same SAML REQUEST, and the IDP does not rebuild the RESPONSE as the original Asserion is still valid (Probably because my SKEW time is 60 Seconds).
Anyway, once the Asserion expires, the second request will cause the RESPONSE to be reissued, and since the Attribute Manager put the values in the session AFTER the original reuest, it finds them, and sends them.
I have tried to adjust the order of my handlers to no success.
Is there a way to ensure the Attribute Manager gets invoked BEFORE the response is sent from the IDP backto the SP?