edupersonscopedaffiliation order

[Cantor, Scott]

On 6/16/21, 2:57 PM, "users on behalf of Donald Lohr" <users-bounces at shibboleth.net on behalf of lohrda at jmu.edu> wrote:

>    We now have a new SP vendor that wants a primary role. We got away from 
>    that over 20 years ago and only set the ePPA to member for all users.  
>    It gets very messy when a user has multiple roles.

+1000

I have a rule of never supporting any attribute with "Primary" in the name, it's a classic case of "I want the world to be simple and it's your job to allow me to pretend it is." No, it isn't. Go pound sand.

FWIW, SAML stipulates there are no ordered values in Attributes. The IdP just has some foibles in the filtering code that make it not only non-ordered but also unpredictable, and that wasn't deliberate. I think it's going to get fixed in V5 so that resolver order is maintained, but that's just to facilitate debugging and because what it's doing now is dumb. Obviously the IdP can't make LDAP behave in a manner it does not, so the actual order will always vary. We just didn't intend to be making it worse.

-- Scott