<div dir="ltr">Hello,<br>finally after many tests I was able to import the DN parameter into the "attribute-resolver.xml" file: ou = xxx, dc = aaa, dc = bbb associated with the authenticated user.<br>Now I can distinguish my users using the "ou" field present in the DN parameter, and I was able to release the "eduPersonAffiliation" and "eduPersonScopedAffiliation" attributes by distinguishing them, using the value of the "ou" field.<br>The solution was to create an InputDataConnector in the "attribute-resolver.xml" file of my IDP that would use the "entryDN" attributeNames in the LDAP as follows:<br><InputDataConnector ref = "myLDAP" attributeNames = "entryDN" /><br>and then I proceeded to associate it with the attribute that I intended to define, in my case "eduPersonAffiliation".<br>Below is an example of what I did:<br><br><AttributeDefinition id = "eduPersonAffiliation" xsi: type = "Mapped" dependencyOnly = "true"><br> <InputDataConnector ref = "myLDAP" attributeNames = "entryDN" /><br> <ValueMap><br> <ReturnValue> student </ReturnValue><br> <SourceValue partialMatch = "true"> students </SourceValue><br> </ValueMap><br> <ValueMap><br> <ReturnValue> staff </ReturnValue><br> <SourceValue partialMatch = "true"> non_teachers </SourceValue><br> </ValueMap><br> <ValueMap><br> <ReturnValue> member </ReturnValue><br> <SourceValue partialMatch = "true"> students </SourceValue><br> <SourceValue partialMatch = "true"> non_teachers </SourceValue><br> </ValueMap><br></AttributeDefinition><br><br><AttributeDefinition id = "eduPersonScopedAffiliation" xsi: type = "Scoped" scope = "% {idp.scope}"><br> <InputAttributeDefinition ref = "eduPersonAffiliation" /><br></AttributeDefinition><br><br>Thank you all for your answers and suggestions.<br>Best regards.<br>Tommaso</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Il giorno lun 15 nov 2021 alle ore 19:46 Cantor, Scott <<a href="mailto:cantor.2@osu.edu">cantor.2@osu.edu</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 11/15/21, 1:39 PM, "users on behalf of Peter Schober" <<a href="mailto:users-bounces@shibboleth.net" target="_blank">users-bounces@shibboleth.net</a> on behalf of <a href="mailto:peter.schober@univie.ac.at" target="_blank">peter.schober@univie.ac.at</a>> wrote:<br>
<br>
> (Unless I misunderstood the question.)<br>
<br>
One of us did. My interpretation was that it's not possible for whatever reason after authentication to do searches for attributes using just the canonical principal name, and so the DN had to be obtained explicitly out of the results of authentication.<br>
<br>
But now that I write that out....that doesn't make sense. If that were the requirement, then the right answer would be to make the DN string the canonical principal name for the IdP.<br>
<br>
So you're right...if you can search the directory, then....search the directory for the DN.<br>
<br>
-- Scott<br>
<br>
<br>
-- <br>
For Consortium Member technical support, see <a href="https://shibboleth.atlassian.net/wiki/x/ZYEpPw" rel="noreferrer" target="_blank">https://shibboleth.atlassian.net/wiki/x/ZYEpPw</a><br>
To unsubscribe from this list send an email to <a href="mailto:users-unsubscribe@shibboleth.net" target="_blank">users-unsubscribe@shibboleth.net</a><br>
</blockquote></div>