Force a fixe value for a Mapped AttributeDefinition (DocuSign AccountID)

[Cantor, Scott]

On 1/28/21, 3:01 PM, "users on behalf of Jehan PROCACCIA" <users-bounces at shibboleth.net on behalf of jehan.procaccia at tem-tsp.eu> wrote:

>    I want to send our AccountID (provided by docusign) in order that automatically at 1rst login our users be created with
> the correct permissions.

That may be the difference, our system is pre-provisioned I believe.

>    I create a wiki page reagarding that DS integration with shibboleth IDP 4 , because I encountered many customisation
> needed:
>    no encryption, specific nameID (persistent + mail based), mapping attributes, metadata exchange ... : 

They certainly support encryption, but they do require persistent NameIDs, I am aware of that. They do update email addresses based on that. It's all a bit under the covers but it matches what I had to do.

>    anyway, I'll be glad to have your opnion on my DS integration with IDP 4 , maybe I customized too many things that
> were not mandatory ? 

Only the encryption thing stands out.

I'm simply saying that when a vendor asks me to send them a fixed value for everybody, the obvious response is "why on earth can't you apply the same value at your end?". If the value is not in fact "fixed" but a signal to use a particular role and it just *happens* to be set the same for everyone, that's quite different. It's only fixed as a matter of policy choice, not design.

-- Scott