Releasing mail as scoped sAMAccoutName for a specific SP

Nilan Morjaria-Patel N.Morjaria-Patel at
Tue Jun 15 14:17:32 UTC 2021

Hi Peter,

Thanks very much for the prompt reply.

I did attempt to do that with the output of aacli being

 "name": "mailFromSAMAccountName",
    "values": [

however the sp could not pick up the scope for some reason. So I resorted to using a script

<!-- UoS: mailFromSAMAccountName: value is scoped so <sAMAccountName> -->
    <AttributeDefinition id="mailFromSAMAccountName" xsi:type="ScriptedAttribute" relyingParties="">
        <!-- We need LDAP for this attributes value -->
        <InputDataConnector ref="uos_ldap" attributeNames="sAMAccountName" />
    <!-- How to encode the attribute in SAML -->
        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />

    <!-- The script -->
        mailFromSAMAccountName.addValue(sAMAccountName.getValues().get(0) + "@%{idp.scope}");

which resulted in

"name": "mailFromSAMAccountName",
    "values": [
        "StringAttributeValue{value=nmp1u14 at}"

Not sure if this is the "best" way but it works.

From: users <users-bounces at> on behalf of Peter Schober <peter.schober at>
Sent: 14 June 2021 17:06
To: users at <users at>
Subject: Re: Releasing mail as scoped sAMAccoutName for a specific SP

CAUTION: This e-mail originated outside the University of Southampton.

* Nilan Morjaria-Patel <N.Morjaria-Patel at> [2021-06-14 17:44]:
> I require help regarding the above. I have the following script in
> attribute-resolver.xml where the SP's only requirement is
> mail. However our users can change their mail prefix so we want to
> release the scoped sAMAccoutName instead.

You'd use a Scoped attribute definition that slaps on %{idp.scope} to
your sAMAccoutName attribute.
Then an Encoder to send it as mail attribute with a relyingParties
XML-attribute enumerating the SPs that require this hack.

No scripting necessary and likely will fix your issue of duplicate
values, too.

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list