Where do I get information about the currently connected user? That is, how does shibboleth pass the information?
Can I set some restrictions on actions using [Authorize] attribute based on data acquired from shibboleth?
Shibboleth publishes user attributes associated with sessions into HTTP request headers, based on header names defined in Attribute Acceptance Policy (1.3.x) or Attribute Mapping (2.x) files. These headers are transformed into CGI variables based on mapping rules defined by the CGI specification.
You should be aware of this security advisory: http://shibboleth.net/community/advisories/secadv_20090615.txt