Attribute mapping on new SP3 install

HCUK eLearning daveperryatwork at gmail.com
Wed May 15 08:24:50 EDT 2019 

I wondered if the case had anything to do with it.

Currently, I can't tell the scope for UPN without looking at another AD
field - because if it's a student or staff member primarily based at our
Harrogate site, they have @harrogate.ac.uk in their UPN (political reason I
believe).
Harrogate is being devolved from our group in a few months time though, so
once that happens then yes I can redo the definition as manually scoped (a
la ScopedAffiliation) at all lower-case domain.

Case is set by our IDM system, I doubt I can get that changed but will ask
(it required the provide to write custom code to make that staff/student
flag happen into AD).

Thanks,
Dave

On Wed, May 15, 2019 at 12:38 PM Peter Schober <peter.schober at univie.ac.at>
wrote:

> * HCUK eLearning <daveperryatwork at gmail.com> [2019-05-15 12:54]:
> >         <saml2:Attribute FriendlyName="eduPersonScopedAffiliation"
> >             Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
> > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> >             <saml2:AttributeValue>Staff at hull-college.ac.uk
> > </saml2:AttributeValue>
> >         </saml2:Attribute>
>
> Including the scoped affiliation in the example was helpful (since the
> logs show that this was processed successfully by the SP): It's scope
> is all lower-case (which I'd always recommend for sanity) -- though
> the affiliation value is not, which I'd suggest to also lowercase.
>
> >         <saml2:Attribute FriendlyName="eduPersonPrincipalName"
> >             Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
> > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> >             <saml2:AttributeValue>70012521 at Hull-College.ac.uk
> > </saml2:AttributeValue>
> >         </saml2:Attribute>
>
> Here the scope is not all lower-case, which is the mistake.
>
> > 2019-05-15 10:32:04 WARN Shibboleth.AttributeFilter [1] [default]:
> removed
> > value at position (0) of attribute (eppn) from (
> > https://shibb.hull-college.ac.uk/idp/shibboleth)
> > 2019-05-15 10:32:04 WARN Shibboleth.AttributeFilter [1] [default]: no
> > values left, removing attribute (eppn) from (
> > https://shibb.hull-college.ac.uk/idp/shibboleth)
>
> And so attributes with a scope of "Hull-College.ac.uk" are being
> filtered out.
>
> > From the IdP Metadata:
> > <shibmd:Scope regexp="false">Hull-College.ac.uk</shibmd:Scope>
>
> The only explanation for the SPs behaviour -- and the solution to that
> mystery -- is that this is wrong: The scope in metadata is all
> lower-case:
>
>
> https://met.refeds.org/met/entity/https%253A%252F%252Fshibb.hull-college.ac.uk%252Fidp%252Fshibboleth/?federation=uk-access-management-federation
>
> Contextual remark going forward: If keeping the casing of the scope
> consistent within the LDAP direcory is difficult maybe you should
> through away the scope from LDAP when loading it into the IDP and add
> it consistently again within the IDP?
>
> -peter
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190515/00dfd2f5/attachment.html>

More information about the users mailing list