eduPersonScopedAffiliation not mapping correctly

Cantor, Scott cantor.2 at
Tue Nov 1 18:35:40 GMT 2011

On 11/1/11 2:10 PM, "Scott Klawitter" <sklawitter at> wrote:
>Note: I think you missed a dash in the name
>"urn:mace:dir:attribute-def:eduPersonScopedAffiliation" **

Yes, cut and paste error.

>Is it true that all attributes that have compound elements such as
>eduPersonScopedAffiliation need a NameFormat?

Has nothing to do with "compound" or not, all SAML attributes have a two
part name.

>Or does version 2.4.0 and above resolve some of the Name Formatting

2.4 treats an unspecified NameFormat as matching any mapping rule
regardless of its NameFormat, because I got sick of dealing with this
every time an IdP was misconfigured, or for IdPs like ADFS that are
broken. The default NameFormat in SP mapping rules is the constant
representing a URI name format, but now it treats a missing format at
runtime as a wildcard for applying rules.

But what the IdP is sending you is simply wrong. Whether the SP can handle
it or not doesn't really change that. You're not obligated to work around
incorrect information, and it generally sets a bad precedent when you do.

>Is version 2.3.1 supported?


The SP retains compatibility with every minor upgrade, which means there's
no justification for me to support multiple minor releases at the same

That version is also vulnerable to the attack we disclosed and fixed
several months ago.

>I was unsure of how to create the mapping for this attribute. You
>explained why it is invalid though, so this helps me out.

The XML mapping syntax is documented in the wiki under the
NativeSPAttributeExtractor topic.

-- Scott

More information about the users mailing list