New attribute filter help
Cantor, Scott
cantor.2 at osu.edu
Fri Sep 30 18:11:32 BST 2011
On 9/30/11 11:53 AM, "Morris, Andi" <amorris at uwic.ac.uk> wrote:
>For Shibboleth users, we are expecting to receive the following
>attributes:
> > An attribute with a name that matches the regular expression
>(ignoring case)
>".*OASCOPED.URN.MACE.DIR_ATTRIBUTE.DEF.EDUPERSONTARGETEDID.*". The value
>should be some sort if ID representing the logged in user followed by
>=@"idpdomain"
That would be a deprecated form and you shouldn't need to release that to
anybody. The SP has plenty of tools for them to use to normalize what you
send into whatever form they need, and if they're using "not Shibboleth",
that remains their responsibility.
>An attribute with a name that matches the regular
>expression".*IDP.ENTITY.*". The value should be the EntityID of the
>Identity provider.
That's not typical, and it is incorrect to use "regular expressions" to
match attribute names.
Again, any SP should provide access to the issuer of the assertion, which
is your entityID.
>Also, is there a way I can release the EntityID as an attribute?
You would need to populate it from information in the request context.
-- Scott
More information about the users
mailing list