ArcGIS on Shib 3

Peter Schober peter.schober at univie.ac.at
Thu Jun 25 15:53:35 EDT 2015


* McKean, Brandon Scott - mckeanbs <mckeanbs at jmu.edu> [2015-06-25 21:46]:
> The first one being the mail attribute definition. I see it's set to
> construct that from the uid and add a domain of your choosing, but I
> was hoping to get that pulled straight from LDAP. Is there a way to
> do that?

Sure, if the software couldn't pass around email addresses, but only
uids, that would be pretty broken.

> <resolver:AttributeDefinition id="mail" xsi:type="ad:Simple">
>        
> <resolver:AttributeEncoder xsi:type="enc:SAML1String"
> name="urn:mace:dir:attribute-def:mail" encodeType="false" />
>        
> <resolver:AttributeEncoder xsi:type="enc:SAML2String"
> name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail"
> encodeType="false" />
> </resolver:AttributeDefinition>

Your previously sent version looked better, as it included
sourceAttributeID="mail" in the AttributeDefinition and a child
element of <resolver:Dependency ref="jmuad" /> referencing the
DataConnector that should be able to provide the "mail" attribute.
They're both missing from your example above.

But do consult the documentation, for IDPv3 it's this (or something in
that vicinity):
https://wiki.shibboleth.net/confluence/display/IDP30/AttributeDefinitionConfiguration
-peter


More information about the users mailing list