RE: Attributes – how to exclude scope

[Kurtz, Anna]

I am not sure why the SP cannot distinguish the scope separately as I agree there could be duplicates in ePUID with other IdPs. I think our best bet it to do a new attribute with no scope. Thank you all for the suggestions and responses!

Thanks,
Anna

From: users [mailto:users-bounces at shibboleth.net] On Behalf Of IAM David Bantz
Sent: Friday, December 14, 2018 3:59 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Attributes – how to exclude scope

Create/release a new attribute without scope (perhaps the underlying identifier you use to create ePUID);
do not name it eduPersonUniqueId though because it will not be!

David Bantz

On Fri, Dec 14, 2018 at 12:24 PM Kurtz, Anna <anna.kurtz at sdstate.edu<mailto:anna.kurtz at sdstate.edu>> wrote:
Hello,
We have recently released the eduPersonUniqueID to an SP. We set the ePUID to be scoped in the attribute resolver. We are on IdP 3.2.1

The SP that requires the ePUID is seeing the value as [id value]@[scope] and they do not know how to deal with the scope. They just need the [id value]. The SP is not able to make any changes to ignore the scope.

Is there a way in the attribute resolver or filter on our end to change how the ePUID is sent to just that one SP? We want to try and exclude the scope for them.

Thank you!
Anna

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20181217/4bc9c077/attachment.html>