mapped eduPersonScopedAffiliation attribute

Ryan Suarez ryan.suarez at sheridancollege.ca
Wed Sep 5 13:32:33 EDT 2018 

Greetings,

I'm trying to federate my shibV3 IdP with an SP.  They require eduPersonScopedAffiliation attribute which the IdP is passing:

            <saml2:Attribute FriendlyName="eduPersonScopedAffiliation"
                             Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                             >
                <saml2:AttributeValue>students at mydomain.ca<mailto:students at mydomain.ca></saml2:AttributeValue>
            </saml2:Attribute>

The problem is that "students" is not valid, they only accept "student".  So I changed the attribute resolver from this:

   <resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}" sourceAttributeID="myAttribute">
        <resolver:Dependency ref="ldap" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
    </resolver:AttributeDefinition>

To this:

    <resolver:AttributeDefinition xsi:type="ad:Mapped" id="eduPersonScopedAffiliation" sourceAttributeID="myAttribute">
        <resolver:Dependency ref="ldap" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
        <ad:ValueMap>
           <ad:ReturnValue>student at mydomain.ca<mailto:student at mydomain.ca></ad:ReturnValue>
           <ad:SourceValue>students</ad:SourceValue>
        </ad:ValueMap>
    </resolver:AttributeDefinition>

Is this mapped definition functionally equivalent to the scoped definition?

I can see the mapped attribute when testing from the IdP with this command "aacli.sh --configDir /opt/shibboleth-idp/conf --principal=someUser --requester https://sp.somedomain.ca". However, I cannot see the mapped attribute in the SAML assertion to the SP when inspecting with the SAML tracer tool for firefox.

Why is the mapped attribute not part of the assertion if it shows up with aacli?

regards,
Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180905/258f7506/attachment.html>

More information about the users mailing list