> And arguably even worse would be defining separate attributes... OK, thanks, it looks like a script it is. Or maybe better, putting the logic for the single "correct" e-mail address in IdM via the data source (or the data feed to IdM itself) before it gets to AD so Shibboleth has a simple primary e-mail attribute to deal with. -- Dave