Merge two attributes in Shibboleth v3

Peter Schober peter.schober at
Sat Mar 17 09:54:54 EDT 2018

* panosx13 panosx13 <panosx13 at> [2018-03-17 13:35]:
> Actually I want to advertise the schacPersonalUniqueCode which has to be
> like that:
> where the 12345678 is the uid of each user.

That's wrong for 2 reasons, and far from ideal for a third reason.
Current (for 3 years now) is SCHAC 1.5.

* Since RFC 6336 was published 7 years ago the namespace to be used is
  urn:schac, not

* schacPersonalUniqueCode is not qualified with DNS domains, it must
  be qualified with
  1. "a valid two-letter ISO 3166 country code identifier", plus
  2. a Namespace Specific String from a "nationally controlled
  vocabulary, published through the URI identified at the above
  mentioned SCHAC URN registry".
  So what you do above is simply invald and violates the specification
  you pretent to be using.

* Also there is no requirement to make the subject-specific part "the
  uid of each user". In fact there are lot of other, better suited,
  attributes to communicate "the uid of each user", e.g.: (though this is
  meaningless beyond internal use within an organisation), or
  (qualifies a local userid-ish attribute with a DNS domain to make it
  unique across organisational boundaries).
  Of course once you go across org boundaries there's no need to be
  sending internal userids at all, so a better replacement altogether
  is using the newly defined OASIS SubjectID attribute.

> So I thought to create a temp static attribute lets say
> schacPersonalUniqueCodeTemp that will have the value
> and then to create the combined attribute schacPersonalUniqueCode which
> will be from the static attribute schacPersonalUniqueCodeTemp and the ldap
> attribute uid.
> Is that possible in Shibboleth v3 and if yes how I can make it .


More information about the users mailing list