<div dir="ltr">I wondered if the case had anything to do with it.<div><br></div><div>Currently, I can't tell the scope for UPN without looking at another AD field - because if it's a student or staff member primarily based at our Harrogate site, they have @<a href="http://harrogate.ac.uk">harrogate.ac.uk</a> in their UPN (political reason I believe).</div><div>Harrogate is being devolved from our group in a few months time though, so once that happens then yes I can redo the definition as manually scoped (a la ScopedAffiliation) at all lower-case domain.  <br></div><div><br></div><div>Case is set by our IDM system, I doubt I can get that changed but will ask (it required the provide to write custom code to make that staff/student flag happen into AD). <br></div><div><br></div><div>Thanks,<br></div><div>Dave</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, May 15, 2019 at 12:38 PM Peter Schober <<a href="mailto:peter.schober@univie.ac.at">peter.schober@univie.ac.at</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">* HCUK eLearning <<a href="mailto:daveperryatwork@gmail.com" target="_blank">daveperryatwork@gmail.com</a>> [2019-05-15 12:54]:<br>
>         <saml2:Attribute FriendlyName="eduPersonScopedAffiliation"<br>
>             Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"<br>
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><br>
>             <saml2:AttributeValue><a href="mailto:Staff@hull-college.ac.uk" target="_blank">Staff@hull-college.ac.uk</a><br>
> </saml2:AttributeValue><br>
>         </saml2:Attribute><br>
<br>
Including the scoped affiliation in the example was helpful (since the<br>
logs show that this was processed successfully by the SP): It's scope<br>
is all lower-case (which I'd always recommend for sanity) -- though<br>
the affiliation value is not, which I'd suggest to also lowercase.<br>
<br>
>         <saml2:Attribute FriendlyName="eduPersonPrincipalName"<br>
>             Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"<br>
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><br>
>             <saml2:AttributeValue><a href="mailto:70012521@Hull-College.ac.uk" target="_blank">70012521@Hull-College.ac.uk</a><br>
> </saml2:AttributeValue><br>
>         </saml2:Attribute><br>
<br>
Here the scope is not all lower-case, which is the mistake.<br>
<br>
> 2019-05-15 10:32:04 WARN Shibboleth.AttributeFilter [1] [default]: removed<br>
> value at position (0) of attribute (eppn) from (<br>
> <a href="https://shibb.hull-college.ac.uk/idp/shibboleth" rel="noreferrer" target="_blank">https://shibb.hull-college.ac.uk/idp/shibboleth</a>)<br>
> 2019-05-15 10:32:04 WARN Shibboleth.AttributeFilter [1] [default]: no<br>
> values left, removing attribute (eppn) from (<br>
> <a href="https://shibb.hull-college.ac.uk/idp/shibboleth" rel="noreferrer" target="_blank">https://shibb.hull-college.ac.uk/idp/shibboleth</a>)<br>
<br>
And so attributes with a scope of "<a href="http://Hull-College.ac.uk" rel="noreferrer" target="_blank">Hull-College.ac.uk</a>" are being<br>
filtered out.<br>
<br>
> From the IdP Metadata:<br>
> <shibmd:Scope regexp="false"><a href="http://Hull-College.ac.uk" rel="noreferrer" target="_blank">Hull-College.ac.uk</a></shibmd:Scope><br>
<br>
The only explanation for the SPs behaviour -- and the solution to that<br>
mystery -- is that this is wrong: The scope in metadata is all<br>
lower-case:<br>
<br>
<a href="https://met.refeds.org/met/entity/https%253A%252F%252Fshibb.hull-college.ac.uk%252Fidp%252Fshibboleth/?federation=uk-access-management-federation" rel="noreferrer" target="_blank">https://met.refeds.org/met/entity/https%253A%252F%252Fshibb.hull-college.ac.uk%252Fidp%252Fshibboleth/?federation=uk-access-management-federation</a><br>
<br>
Contextual remark going forward: If keeping the casing of the scope<br>
consistent within the LDAP direcory is difficult maybe you should<br>
through away the scope from LDAP when loading it into the IDP and add<br>
it consistently again within the IDP?<br>
<br>
-peter<br>
-- <br>
For Consortium Member technical support, see <a href="https://wiki.shibboleth.net/confluence/x/coFAAg" rel="noreferrer" target="_blank">https://wiki.shibboleth.net/confluence/x/coFAAg</a><br>
To unsubscribe from this list send an email to <a href="mailto:users-unsubscribe@shibboleth.net" target="_blank">users-unsubscribe@shibboleth.net</a><br>
</blockquote></div>