Handling New User Memberships

[Brandon McKean]

Hi Everyone,

We're facing a situation where we've pointed our Shibboleth instance to 
an LDAP directory that doesn't contain our graduates after a certain 
time period, and we need to move it to a directory that does contain them.

The problem this introduces for us is that several applications were 
setup without sending any attribute indicating what type of user is 
logging in. Normally I know this sort of thing is supposed to be handled 
using an attribute like eduPersonScopedAffiliation, but we deal with 
some vendors that won't use that attribute and expect the burden of user 
filtering to be on us as the identity provider.

 From what I've found, the most straightforward way to handle this from 
the identity provider side would be to simply disable attribute release 
to certain service providers when users shouldn't be allowed in. This 
naturally causes it's own problems, because service providers will often 
just fail and not say anything helpful to users in that situation.

My question is, has anyone else encountered a situation like this? And 
if so, how did you handle it?

-- 
Brandon McKean
IT / Systems
Linux Administrator
(540)568-4235