Alistair Young wrote:
> > I wonder if the SP would be able to bend slightly by prepended all
> their group names with some string such that they do form a valid URN
> they're unlikely to do this Nick.
>
> ePSA has too strict a vocab and ePA requires URL/URN. What we're
> seeing is the application of shibboleth to "working systems",
> basically replacing username/password combos with attributes/values
> and eduPerson can't seem to cope with this "legacy" situation. Was
> hoping to avoid a custom attribute as their SP might not pass it on
> (it's not an I2 sp).
As Andy correctly mentions in relation to the entitlement value, you can
restrict release of your special affiliation values to just this SP, to
avoid causing trouble with other SPs.
Although it'd be against the specification (so it's just a suggestion),
if you were to set up attribute filters to only allow the values to this
SP, you could think about sending the values in eduPersonEntitlement
as-is, even though they're neither URL nor URI. If it works for your
situation, then it works, and as long as it's only filtered to that SP
then nobody else need ever know :)
|