Multiple values in email attribute

IAM David Bantz dabantz at
Wed May 27 19:24:06 UTC 2020

On Tue, May 26, 2020 at 11:58 PM leosimon <leosimon at>

> If I would have to limit the data with resolver or filter config, then any
> one of the values of the attribute will be passed to the consent page and
> released to SP right?

If you simply pull the "first" value from mail attribute with
ScriptedAttribute including something like:

then right, AFAIK you cannot be assured of resolving the same value on
subsequent logins.

That might be OK if the SP were using that attribute to send email, but
they are likely using it as
a persistent scoped user identifier. In which case you need a different
strategy, such as encoding a scoped principal

name or building a scoped identifier from a uid; a different ScriptedAttribute
including something like:

value = userid.getValues().get(0);

single-valued-fake-mail.getValues().add(value + "@your.tld");

At my institution at least that "single-valued-fake-mail" represents a
persistent non-reassignable routable email address,
"canonicalEmail", for all users, so it's not a totally bad approach.

David Bantz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list