Using a custom attribute as the eppn

Philip Durbin philip_durbin at harvard.edu
Tue Aug 16 09:30:20 EDT 2016 

It looks like Alex got integration between SimpleSAMLphp IdP and
Dataverse working using eppn! He wrote, "I modified attribute-map.xml
and removed the AttributeDecoder from the eppn definition.  I also
commented out the AttributeRule for eppn in attribute-policy.xml,
although this might be unnecessary after the change to attribute-map"
at https://groups.google.com/d/msg/dataverse-community/PXHKNX6m-eU/RrrAn9I7DQAJ
and more details can be found there.

On Tue, Aug 9, 2016 at 2:51 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> Somebody should get this application to stop requiring a header called "eppn". Applications should not be dictating the name of the data element they consume. Hacking things into specifically named headers is a recipe for a lot of confusion.

Scott, I work on the application in question (Dataverse) but I'm
having trouble understanding what you want. If you're saying that
Dataverse should be more flexible in accepting a variety of attributes
to uniquely identify users such as eppn, ePTID, NameID, and others, I
have already opened an issue about this at
https://github.com/IQSS/dataverse/issues/1422 and comments are very
welcome! If you're saying something else, please advise! Here's where
I document which attributes are required:
http://guides.dataverse.org/en/4.4/installation/shibboleth.html#shibboleth-attributes

Thanks!

Phil

p.s. In developing Shibboleth support for Dataverse as an SP have been
heavily influenced by the attributes sent by the IdP at
http://www.testshib.org . I basically took a look at
https://demo.dataverse.org/Shibboleth.sso/Session (output below) as a
starting point for what attributes are reasonable to expect from an
IdP:

Miscellaneous
Session Expiration (barring inactivity): 479 minute(s)
Client Address: 140.247.116.200
SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
Identity Provider: https://idp.testshib.org/idp/shibboleth
Authentication Time: 2016-08-15T13:50:02.774Z
Authentication Context Class:
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Authentication Context Decl: (none)

Attributes
affiliation: Member at testshib.org;Staff at testshib.org
cn: Me Myself And I
entitlement: urn:mace:dir:entitlement:common-lib-terms
eppn: myself at testshib.org
givenName: Me Myself
persistent-id: https://idp.testshib.org/idp/shibboleth!https://demo.dataverse.org/sp!ZdMHr9QAhEw2LdLs/QwLR9b24qU=
sn: And I
telephoneNumber: 555-5555
uid: myself
unscoped-affiliation: Member;Staff

-- 
Philip Durbin
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin

More information about the users mailing list