Help with InCommon and National Student Clearing House

[Peter Schober]

* Melvin Lasky via users <users at shibboleth.net> [2022-09-28 18:06]:
> I’m having an issue with the national student clearing house. They
> wanted 4 specific attributes, named in a specific way. I have done
> that, but not only does it send the four they want, it also sends
> the InCommon attributes. I guess it matches both.

And you're positive the problem (whatever the issue is) lies with
sending them additional attributes? An SP usually just ignores what
it's not interested in.

> How can I exclude the sending of the InCommon attributes while
> enabling the specific four for the Clearing House people.

There's no clean way to do it I can think of:

* You could duplicate the attributes you're releasing via your rule
"releaseToInCommon" and put them inside a DENY rule specific for the
SP.

* You could amend the "releaseToInCommon" rule to make sure it doesn't
match the SP. (I.e., combine the current PolicyRequirementRule with
AND and NOT for the specific SP or something to that effect.)

Maybe dynamically overriding the SP metadata (overriding the
registered-by-incommon entity attribute) would also be possible.

> So not exactly sure what to do.
> They have not been very responsive to say the least.

Personally I'd avoid messing with my config (because I think there's
no clean fix) and make sure the SP ignores what it's not interested
in. But then you already said the SP isn't cooperative.

> This is the first time I’m having an issue with an InCommon provider.
> Usually it’s 1-2-3.

That's a nice testimonial for federation or InCommon specifically.

-peter