eduPersonTargetedID and transcoder rules

Wessel, Keith kwessel at
Tue Apr 5 22:40:56 UTC 2022

Nope, still doesn't work, but here's another clue.

Attributes are being released by <RequestedAttributes> elements in metadata and an attribute filter policy that releases any requested attributes from metadata to any SP in this particular group. With decoder = false, I get no attribute released. Without decoder = false, I do.

If I manually release eptid to a specific SP in attribute-filter.xml, though, I get the attribute released even when decoder = false

Not knowing the code, this seems totally weird and messed up. But I suspect you might have a theory what the connectionmight be... I hope.

From the metadata for this SP:

            <RequestedAttribute FriendlyName="eduPersonTargetedID" Name="urn:oid:" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>

From the attribute filter policy that's using that:

<AttributeRule attributeID="eduPersonTargetedID">
            <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false" />

If I add a new attribute filter policy for the specific SP, though, it releases it.

Happy to turn up logging if you can guide me to which class to turn it up for.


-----Original Message-----
From: Cantor, Scott <cantor.2 at> 
Sent: Tuesday, April 5, 2022 5:06 PM
To: Shib Users <users at>
Cc: Wessel, Keith <kwessel at>
Subject: Re: eduPersonTargetedID and transcoder rules

On 4/5/22, 5:49 PM, "users on behalf of Wessel, Keith via users" <users-bounces at on behalf of users at> wrote:

>    With decoder = false, it doesn't show up for either the default json output or the saml2 output of aacli.

Checked again, I'm not seeing that. Shows up in both for me. You probably need to dig into the logs, something must be going wrong with it, but it's nothing obvious.

-- Scott

More information about the users mailing list