RequestMap Query applicationId

Peter Schober peter.schober at
Wed May 14 10:29:52 EDT 2014

* Tom Haenen <tom.haenen at> [2014-05-14 12:40]:
> You assume that all email addresses provided are the same, although
> I am not sure this is always the case. For example the attributes
> urn:mace:dir:attribute-def:eduPersonPrincipalName and
> urn:mace:dir:attribute-def:mail are not guaranteed to contain the
> same data. One of our customers might ask us to use
> eduPersonPrincipalName, while another does not use this attribute
> for their email addresses. 

Of course using standard attributes (eduPersonPrincipalName) and
insisting they should mean someting else entirely (mail) is just wrong.
Institutions doing that should be told so. Instead they should use an
attribute that is defined to mean email addresses, such as "mail" (for
SAML2 that's urn:oid:0.9.2342.19200300.100.1.3) -- even if the same
value may already be present as eduPersonPrincipalName.

More information about the users mailing list