cantor.2 at osu.edu
Mon Jun 1 14:56:32 UTC 2020
On 6/1/20, 10:49 AM, "users on behalf of Raymond DeCampo" <users-bounces at shibboleth.net on behalf of ray at decampo.org> wrote:
> Well I have made some progress. I found the attribute-filter.xml file
> and after entering in the configuration below, I am now getting the
> "mail" attribute returned from the IdP to the samltest.id SP. Thanks
> to everyone who took the time to look at my questions.
Per my response, "mail" is a classic example of the problem.
That attribute is:
- not defined to be specifically an organizationally-issued email address
- not guaranteed to be controlled by the IdP itself (it could be something the user enters)
- often subject to change or even reassignment to different users depending on the policies of the organization
It, and to a lesser extent the use of emailAddress formatted NameIDs, are a perfect example of what not to do, and yet it's endemic to cloud systems to misuse it that way because the consumer world standardized on it for lack of anything else to use.
There are any number of people on this list that will happily tell you why email addresses are totally inappropriate to use as an identifier.
More information about the users