Cisco Spark SSO with Shibboleth IdP.

[Cantor, Scott]

On 7/20/17, 5:34 PM, "users on behalf of Maokhampio, Michel" <users-bounces at shibboleth.net on behalf of mmaokhampio at it.ucla.edu> wrote:

> We are able to accommodate this but typically we do not prefer to add SP-defined custom attributes into our configurations. So
> we are wondering if there has been other practice to work around this.

You can't work around it, all you can do is fight back and refuse. You would be surprised how often that works because a lot of the time the implementations are perfectly able to deal with it. It doesn't always, and then you have to decide what you can live with.

My most recent case is at an impasse. I have an app called Druva that's insisting on generating a random string and forcing me to include it in the assertions as an Attribute. They have all sorts of excuses and justifications, and none of them matter because I'm just not going to do it. And my customer had to be told that, and I can explain why, but it doesn't get the customer's problem solved.

> Another concern we have is use of mail attribute as identifier. Since email addresses are relatively often subject to changes, it
> might not be a good candidate of key identifier.

Of course. Welcome to the cloud.

-- Scott