edupersonscopedaffiliation order

Cantor, Scott cantor.2 at
Wed Jun 16 19:03:15 UTC 2021

On 6/16/21, 2:57 PM, "users on behalf of Donald Lohr" <users-bounces at on behalf of lohrda at> wrote:

>    We now have a new SP vendor that wants a primary role. We got away from 
>    that over 20 years ago and only set the ePPA to member for all users.  
>    It gets very messy when a user has multiple roles.


I have a rule of never supporting any attribute with "Primary" in the name, it's a classic case of "I want the world to be simple and it's your job to allow me to pretend it is." No, it isn't. Go pound sand.

FWIW, SAML stipulates there are no ordered values in Attributes. The IdP just has some foibles in the filtering code that make it not only non-ordered but also unpredictable, and that wasn't deliberate. I think it's going to get fixed in V5 so that resolver order is maintained, but that's just to facilitate debugging and because what it's doing now is dumb. Obviously the IdP can't make LDAP behave in a manner it does not, so the actual order will always vary. We just didn't intend to be making it worse.

-- Scott

More information about the users mailing list