Attribute mapping on new SP3 install

HCUK eLearning daveperryatwork at
Wed May 15 05:36:50 EDT 2019

Thanks Nate and Peter - that /Session URL did indeed match up with what
$_SERVER gave me.

The userPrincipalName comes from an AD attribute and includes the
domain/scope already. Looking at this page:

I can't see how to define a scope as a parameter (I tried scope="@" as an attribute of the definition, to no avail).

A post I found via google led me to attribute-policy on the SP side, so I
modified the scope on on ScopedRules there to be, and
restarted the SP. But it still didn't work.

I'm thinking it's better to understand and get it work rather than take the
shortcut of just redefining it on both sides as an unscoped attribute.


On Tue, May 14, 2019 at 5:12 PM Nate Klingenstein <ndk at> wrote:

> Dave,
> Right here:
> > 2019-05-14 17:02:15 DEBUG Shibboleth.AttributeFilter [1] [default]:
> applying filtering rule(s) for attribute (eppn) from (
> <
> >
> > 2019-05-14 17:02:15 WARN Shibboleth.AttributeFilter [1] [default]:
> removed value at position (0) of attribute (eppn) from (
> <
> Your problem is that the scope that is associated with this eppn is not
> one that is considered valid for the IdP
>, so the SP is discarding
> it.  You'll need to empower your IdP to express that scope, or in the case
> the scope happens to be a typo, rectify that.
> Best wishes,
> Nate.
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list