Attribute mapping on new SP3 install
Peter Schober
peter.schober at univie.ac.at
Wed May 15 08:33:47 EDT 2019
* HCUK eLearning <daveperryatwork at gmail.com> [2019-05-15 14:25]:
> I wondered if the case had anything to do with it.
While DNS domains (commonly used as scope values) are themselfs
case-insensitive the specification for handling of "scopes" relevant
here specifies scope comparision as case-sensitive (first part of the
sentence):
"Because scopes in metadata are matched exactly against the scope
component of attribute values in a case-sensitive manner, it is
RECOMMENDED that deployers adhere to a convention of representing
such scope values as lower case."
https://wiki.shibboleth.net/confluence/display/SC/ShibMetaExt+V1.0
> Currently, I can't tell the scope for UPN without looking at another AD
> field - because if it's a student or staff member primarily based at our
> Harrogate site, they have @harrogate.ac.uk in their UPN (political reason I
> believe).
> Harrogate is being devolved from our group in a few months time though, so
> once that happens then yes I can redo the definition as manually scoped (a
> la ScopedAffiliation) at all lower-case domain.
>
> Case is set by our IDM system, I doubt I can get that changed but will ask
> (it required the provide to write custom code to make that staff/student
> flag happen into AD).
I don't understand most of the above (I thought UPN values are already
formatted with LHS + @ + DNS-domain, so why would you need to look at
/another/ "AD field"; also you can have any number of domains/scopes,
the IDP doesn't limit you to just one) but it sounds like your current
issue has been solved.
Maybe also talk to the UKfederation support (or the
JISC-SHIBBOLETH at JISCMAIL.AC.UK list) for suggestions from your
community of peers.
-peter
More information about the users
mailing list