Alistair,
FWIW the Shib IdP explicitly handles this behaviour and you specify the
attribute name depending on whether you are doing SAML1 or SAML2. The
distro supplies the defaults.
ePSA
SAML1:
name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
SAML2:
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
ePTID:
SAML1:
name="urn:mace:dir:attribute-def:eduPersonTargetedID"
*AND*
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
SAML2:
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
*ONLY*
ePPN:
SAML1:
name="urn:mace:dir:attribute-def:eduPersonPrincipalName"
SAML2:
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
ePE:
SAML1:
name="urn:mace:dir:attribute-def:eduPersonEntitlement"
SAML2:
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
If you need anything else I would collect
http://svn.middleware.georgetown.edu/view/java-idp/trunk/resources/conf/attr
ibute-resolver.xml?view=markup&pathrev=2712 and use that as reference
Hth
/r
> -----Original Message-----
> From: Discussion list for Shibboleth developments [mailto:JISC-
> [log in to unmask]] On Behalf Of Alistair Young
> Sent: 24 February 2010 10:46
> To: [log in to unmask]
> Subject: Implications of SAML2
>
> Hi folks,
>
> Does anyone know of any possible access implications of broadcasting
> support for SAML2 in IdP metadata? Most entities at the moment use
> "shibboleth" attributes, i.e. eduPerson but these don't exist in the
> SAML2 attribute profile. The same values are sent in different formats
> from eduPerson.
> Just wondering if this may have an impact on personalisations at SPs.
>
> thanks,
>
> Alistair
>
>
> --
> mov eax,1
> mov ebx,0
> int 80h
|