edupersonscopedaffiliation order

Donald Lohr lohrda at jmu.edu
Wed Jun 16 18:56:59 UTC 2021


I've done LDAP service administration for more than 20 years (4 
different vendor products).

I've had several times when an application developers/company assumed 
the values in a multi-value attribute (like edupersonaffiliation) were 
stored in some logical weighted (sorted) fashion. Several understood 
they were not after I explained or showed them other user's that blew a 
hole in their theory, but others tried long and hard to convenience me 
otherwise.

We now have a new SP vendor that wants a primary role. We got away from 
that over 20 years ago and only set the ePPA to member for all users.  
It gets very messy when a user has multiple roles.  From a student point 
of view they may be a full time student and even a student employee. 
User logs into a student app that checks ePPA and having ePPA set to 
student is fine, but if the same student logs into an employee app also 
using ePPA when it is set to student causes login to fail.

So our preference became, the application needs to be smart enough to 
check from a list of all a user's roles and act accordingly.

Thanks,
Don

On 6/16/21 12:35 PM, Alan Buxey via users wrote:
> CAUTION: This email originated from outside of JMU. Do not click links or open attachments unless you recognize the sender and know the content is safe.
> ________________________________
>
> hi,
>
> maybe just luck at the time of query? you can query the LDAP as
> Shibboleth does . the order of the affiliation has no meaning, and
> should not be used to determine anything.
> Primary affiliation (ePPA) has its own attribute if you need to
> communicate the users primary role (be that staff, student etc.....) -
> if you are able to do that....
>
> alan
> --
> For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=eLbWYnpnzycBCgmb7vCI4uqNEB9RSjOdn_5nBEmmeq0&r=Pa2DB88IW_s2TyLfktHtWA&m=7VbzSmB-9Bi58HK6sLiRuD7OCtIwlAab5_tdUu-IDLs&s=hWssN1RklYZ07w4KSPJ05kWA1Q6Wq1mChOUhqbqvOSw&e=
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

-- 
D o n a l d   L o h r
I n f o r m a t i o n   S y s t e m s
J a m e s   M a d i s o n   U n i v e r s i t y
5 4 0 . 5 6 8 . 3 7 3 0



More information about the users mailing list