InC R&S IdP config breaks integration with R&S SP!

Cantor, Scott cantor.2 at
Mon Nov 24 16:15:21 EST 2014

On 11/24/14, 7:12 PM, "David Bantz" <dabantz at> wrote:

>mail is allowed to be multi-valued, but releasing a multi-valued 
>attribute for mail prevents login, with a message that the IdP is not 
>releasing the required attributes.
>I forgot that I had had to craft (resolve) a single-valued version of 
>mail for FileSender and 
>encode it with the mail OID.
>I could release this single-valued version of mail for all 
>research-and-scholarship SPs,
>but am a little concerned this could create other issues down the road.

I don't think you will ever end up in a worse position by ending the 
practice of exposing multiple values through the mail attribute. This is 
one of those cases where you can stand on the definition and tell 
everybody in the world to change, or accept that what people use the 
attribute for is simply not consistent with sending more than one. It's 
really up to you.

I tried to propose a different attribute for capturing "the single 
institutional email address", and the feedback from at least some was that 
it would add more confusion so I dropped it.

But in practice what apps want is an institutional email address that 
ideally should be the same as EPPN, and you will have much less pain in 
the long run just accepting that where possible. I know we have been much 
happier for it.

>(FWIW, releasing both versions - that is two separate attribute clauses 
>with mail attribute -
>also blocks FileSender login, even if both clauses have the same single 

I don't know what you mean by that exactly.

-- Scott

More information about the users mailing list