We propose an extension of the attribute exchange between an Identity Provider (IdP) and an Service Provider (SP) in Shibboleth. While in the conventional framework of Shibboleth attributes are exchanged in immediate values, in our new extension an SP and an IdP exchange attributes according to so-called "Magic Protocols". This extension enables the SP to know whether user's attributes meet the requirement for authorization, without the SP and the IdP revealing their confidential information. We also show how we can detect cheating in execution of this protocol, e.g. the IdP tells another value instead of the true value to the SP in malice. © 2008 IEEE.