Shibboleth SP not able to get eppn value from Duo SSO

IAM David Bantz dabantz at
Fri Jan 21 23:06:22 UTC 2022

 At the risk of muddying the waters, I think Scott is appropriately
referring to Shibboleth IdP's very extensive ability to manipulate
directory attributes into SAML attributes. Cathy Scott appears to be asking
about SAML attribute configuration in Duo’s SSO IdP to deliver a SAML
attribute of un-scoped username. The documentation for Duo SSO IdP ( suggests only a simple mapping of claim name to
directory attribute. That might be enough if your directory contains an
un-scoped version of username (perhaps in cn or another attribute).

On 21Jan2022 at 13:38:57, "Cantor, Scott" <cantor.2 at> wrote:

> On 1/21/22, 5:23 PM, "users on behalf of Cathy Scott" <
> users-bounces at on behalf of cathystill at> wrote:
>    Apologies for the imprecise wording. I'm attempting to get a unique
> value that aligns with the "username"
> field values in the application. The username value is the part before the
> @ of userPrincipalName. Duo SSO
> has preconfigured attributes email address, username, firstname, lastname
> and display name. And no way to
> do a transform (as in ADFS). Can you offer a suggestion on how to achieve
> this?
> The documentation covers how to map anything you want into the system and
> how to do some degree of transforms, assuming that gets you to a correct
> value. If you're not getting a matching value in any of the possible
> inputs, there's not much the SP can do about it.
> -- Scott
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list