eduPersonScopedAffiliation not mapping correctly

Cantor, Scott cantor.2 at osu.edu
Thu Nov 3 21:57:49 GMT 2011 

On 11/3/11 5:10 PM, "Scott Klawitter" <sklawitter at ebsco.com> wrote:
>
>The log file shows different approaches per Identity Provider.

That's what being liberal with what you accept will get you.

>This could be due to IdP versions, or user IdP configurations. I knew that
>you edited the document, and was hoping that you would respond with an
>example that I could relay to the Identity Provider.

I don't generally give examples *because* I wrote the document. I'm more
than willing to improve it though.

>I did not realize that the AttributeValue element could be omitted.

It can't.

>SAML 2.0 Example:
>-----------------------
><saml2:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
>		FriendlyName="eduPersonScopedAffiliation">
>	<saml2:AttributeValue
>xsi:type="xsd:string">cantor.2 at osu.edu</saml2:AttributeValue>
></saml2:Attribute>

"cantor.2" is not a valid value for an affiliation but I imagine that's
obvious. You're missing the NameFormat attribute as defined by the
X.500/LDAP attribute profile that is referenced.

><saml2:NameIdentifier
>Format="urn:oid:1.3.6.1.4.1.5923.1.1.1.9">cantor.2 at osu.edu</saml2:NameId
>entifier>

There is no such element in SAML 2.0; you mean NameID. And you don't pass
affiliations in NameID elements anyway, they're not unique or
single-valued.

>
><saml2: Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
>		FriendlyName="eduPersonScopedAffiliation">
>	<saml2:AttributeValue
>Scope="osu.edu">cantor.2</saml2:AttributeValue>
></saml2:Attribute>

And that has the wrong value syntax.

>SAML 1.0 Examples:
>-----------------------
><saml:Attribute
>AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"
>	
>AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation ">
>	<saml:AttributeValue
>Scope="osu.edu">cantor.2</saml:AttributeValue>
></saml:Attribute>

That's correct except for the cantor.2 thing.

><saml:Attribute
>AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"
>		AttributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.9">
>	<saml:AttributeValue
>xsi:type="xsd:string">cantor.2 at osu.edu</saml:AttributeValue>
></saml:Attribute>

That has the wrong AttributeName and the wrong syntax.

><saml:Attribute AttributeNamespace="http://schemas.xmlsoap.org/claims"
>		AttributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.9">
>	<saml:AttributeValue
>xsi:type="xsd:string">cantor.2 at osu.edu</saml:AttributeValue>
></saml:Attribute>

That's a hack to make ADFS work but it is occasionally done, unofficially.

><saml:NameIdentifier
>Format="urn:oid:1.3.6.1.4.1.5923.1.1.1.9">cantor.2 at osu.edu</saml:NameIde
>ntifier>

Not relevant for an affiliation.

-- Scott

More information about the users mailing list