New CAS metadata support in 3.4

Cantor, Scott cantor.2 at
Mon Nov 26 21:40:39 EST 2018

On 11/26/18, 9:31 PM, "users on behalf of Paul B. Henson" <users-bounces at on behalf of henson at> wrote:

> > metadata instead... To clarify, is this how it's supposed to work?
> > Intuitively I expected the release policy to match on the defined
> > exact entityid.

Yes, I think it should.

> As I continue my journey of discovery :), I came across the new
> AffiliationDescriptor support in 3.4 and thought perhaps that could be
> used to make my existing 3.3 CAS release policy config work, so I added:

The AffiliateMember has to be the entityID of the member SP, which doesn't seem to be what you put in there. That still might not work if the internals of the request aren't being set up properly, which your other issues seem to suggest, but SAML-wise, that's how Affiliations work. The surrounding EntityDescriptor of the AffiliationDescriptor has the entityID of the "affiliation" (the group name) and the members are the SPs. affiliationOwnerID is informational, not relevant to any policy.

-- Scott

More information about the users mailing list