Missing Attributes
Boyd, Todd M.
tmboyd1 at ccis.edu
Tue Mar 6 15:18:56 EST 2018
You can set the NameID generation on a per-SP basis without needing separate installations of Shibboleth IdP. We have to do this for a few of our service providers that require things like email instead of a transient value.
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Robert Lamothe <robert_lamothe at yahoo.com>
Sent: Tuesday, March 6, 2018 2:13:19 PM
To: Shib Users
Subject: Missing Attributes
Hello Shib Users,
I have a curious situation.
I have an SP that our users use and I've noticed that not all users get the same attributes sent. For example, when I login I get the following attributes:
"name": "eduPersonPrimaryAffiliation",
"name": "mail",
"name": "displayName",
"name": "surname",
"name": "givenName",
"name": "eduPersonPrincipalName",
Another user gets the following:
"name": "mail",
"name": "displayName",
"name": "surname",
"name": "givenName",
"name": "eduPersonPrincipalName",
As you can see "eduPersonPrimaryAffiliation" is missing on this second user.
So, my questions are:
1) Is this more likely an AD issue or a Shibboleth issue?
2) If an attributed isn't populated in AD will it not be visible in Shibboleth
I have two shibboleth clusters because 1 of our SPs needs the NameID property to deliver email, and the second cluster has NameID set to transient which is required by other SPs. I see the same behavior on both clusters so either I made the same mistake on both clusters or AD is somehow behind it.
Thanks in Advance
-Bob
--
Bob Lamothe
robert_lamothe at yahoo.com
KB1BOB
603-918-6336
More information about the users
mailing list