eduPersonScopedAffiliation not mapping correctly

Scott Klawitter sklawitter at ebsco.com
Thu Nov 3 19:47:28 GMT 2011 

Shibboleth Users Group,

We are working with an Identity Provider where we are not receiving
their scoped attributes correctly. The MACE-Dir SAML Attribute Profiles,
located here:
http://middleware.internet2.edu/dir/docs/internet2-mace-dir-saml-attribu
tes-200804.pdf
lists some examples of how to format some of the eduPerson attributes.

I am looking for some valid examples that support SAML 1.0, SAML 1.1 and
SAML 2.0.

I also found this link on the InCommon site to show the old and new way
of defining some formal names for defining SAML1 and SAML2 attributes.
This backs up what Scott Cantor said in a reply to this thread.

	http://www.incommon.org/attributesummary.html 

Thank you,

Scott Klawitter

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net]
On Behalf Of Cantor, Scott
Sent: Tuesday, November 01, 2011 1:36 PM
To: users at shibboleth.net
Subject: Re: eduPersonScopedAffiliation not mapping correctly

On 11/1/11 2:10 PM, "Scott Klawitter" <sklawitter at ebsco.com> wrote:
>
>Note: I think you missed a dash in the name 
>"urn:mace:dir:attribute-def:eduPersonScopedAffiliation" **

Yes, cut and paste error.

>Is it true that all attributes that have compound elements such as 
>eduPersonScopedAffiliation need a NameFormat?

Has nothing to do with "compound" or not, all SAML attributes have a two
part name.

> 
>Or does version 2.4.0 and above resolve some of the Name Formatting 
>errors?

2.4 treats an unspecified NameFormat as matching any mapping rule
regardless of its NameFormat, because I got sick of dealing with this
every time an IdP was misconfigured, or for IdPs like ADFS that are
broken. The default NameFormat in SP mapping rules is the constant
representing a URI name format, but now it treats a missing format at
runtime as a wildcard for applying rules.

But what the IdP is sending you is simply wrong. Whether the SP can
handle it or not doesn't really change that. You're not obligated to
work around incorrect information, and it generally sets a bad precedent
when you do.

>Is version 2.3.1 supported?

No. http://shibboleth.internet2.edu/shib-which-version.html

The SP retains compatibility with every minor upgrade, which means
there's no justification for me to support multiple minor releases at
the same time.

That version is also vulnerable to the attack we disclosed and fixed
several months ago.

>I was unsure of how to create the mapping for this attribute. You 
>explained why it is invalid though, so this helps me out.

The XML mapping syntax is documented in the wiki under the
NativeSPAttributeExtractor topic.

-- Scott

--
To unsubscribe from this list send an email to
users-unsubscribe at shibboleth.net

More information about the users mailing list