Shibboleth experience with LibApps by SpringShare

[Cantor, Scott]

On 5/17/16, 7:08 PM, "users on behalf of Corey Scholefield" <users-bounces at shibboleth.net on behalf of coreys at uvic.ca> wrote:



>Greetings all.....just wondering if any Shibboleth IDP deployers on this list have experience with setting up an attribute-release policy for the SP provided by LibApps ?

Well, not exactly. I was just asked to federate with them yesterday by a department, and they're an InCommon member, so from a release standpoint, I had no work to do.

But it didn't work (yet), they're SimpleSAML deployment is claiming that the attributes they asked for weren't present, which I know is not the case, so there's something wrong with their deployment at present. They appeared to want mail, and first/last name, FWIW. From that, I assumed without evidence that they intend to rely on mail as an identifier, which wouldn't exactly be unusual.

>The vendor technical support doesn't seem to have any Shib IDP configuration samples
> to crib from, and I'd like to help a colleague translate a standard ARP into claims that an ADFS-based IDP could issue to the service.

I think what you're really asking is, what attributes do they require? Which in fairness I don't know. I only know what it told my customer it required but didn't receive.

>This translation to claims should be fairly straight-forward, I think - but the vendor
> has asked that username be released as this format : 
> 
>urn:oasis:names:tc:SAML:2.0:nameid-format:transient

That's news to me, but if true, they have a problem since I have no intention of doing that, and I'll have to tell my customer that if it comes up. Do you have a reference for that requirement? A web page link?

> 
>...which doesn't sound semantically correct, according to the SAML spec.

It's entirely incorrect.

-- Scott