InC R&S IdP config breaks integration with R&S SP!

[Tom Scavo]

On Mon, Nov 24, 2014 at 2:12 PM, David Bantz <dabantz at alaska.edu> wrote:
> I recently switched our IdP configuration to support release to the InC SPs in the research-and-scholarship category.
> Previously l had individual release policies for a subset of these SPs.

That's great! Don't forget to formally declare your support for R&S so
we can add your IdP to the official list of IdPs that support R&S.

> The attribute filter policy provided at
> https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAddAttributeFilterExamples or
> https://spaces.internet2.edu/display/InCFederation/Essential+Attribute+Bundle+Config
> releases the mail attribute
>
> mail is allowed to be multi-valued, but releasing a multi-valued attribute for mail prevents login,
> with a message that the IdP is not releasing the required attributes.

That's not surprising.

> I forgot that I had had to craft (resolve) a single-valued version of mail for FileSender and
> encode it with the mail OID.

You could raise this issue at the contact email in metadata but it may
be easier just sending a single value to the SP.

> I could release this single-valued version of mail for all research-and-scholarship SPs,
> but am a little concerned this could create other issues down the road.

I'm not sure what the concern is. Why not release a single email
address to all external SPs?

> (FWIW, releasing both versions - that is two separate attribute clauses with mail attribute -
> also blocks FileSender login, even if both clauses have the same single value.)

I'm not sure what you mean. Do you mean two attributes with the same
name in a single assertion? I wouldn't do that. That's probably the
least desirable of all the options you have.

Tom