>>> On 03/08/2010 at 08:02, in message <[log in to unmask]>, John
Maddock
<[log in to unmask]> wrote:
> Hi Heather.
>
>> This is what I have
>> <resolver:AttributeDefinition
>> id="eduPersonAffiliation"
>...
>> <resolver:AttributeEncoder
>> xsi:type="SAML1String"
>
> This should be:
> xsi:type="SAML1ScopedString"
>
> and this:
>
>> name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" />
>> <resolver:AttributeEncoder
>> xsi:type="SAML2String"
>
> likewise:
>
> xsi:type="SAML2ScopedString"
>
>> xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
>> name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
>> friendlyName="eduPersonAffiliation" />
>
> and this:
> friendlyName="eduPersonScopedAffiliation" />
>
>> </resolver:AttributeDefinition>
>
> Regards,
> John
No, I think what Heather has is all a bit more mixed up than that,
You've got the urn:oid for eduPersonAffiliation there, you need to
change that too, also its a definition for eduPersonAffiliation not
ScopedAffiliation. Try:
<resolver:AttributeDefinition id="eduPersonScopedAffiliation"
xsi:type="Scoped"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
scope="uni.ac.uk" sourceAttributeID="eduPersonAffiliation">
<resolver:Dependency ref="MyRef" />
<resolver:AttributeEncoder xsi:type="SAML1ScopedString"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
/>
<resolver:AttributeEncoder xsi:type="SAML2ScopedString"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
friendlyName="eduPersonScopedAffiliation" />
</resolver:AttributeDefinition>
NB this is what's in the Setup2IdP reference you quoted, just changed
slightly to add your MyRef! I think something went awry in your cut and
paste, Heather!
—------
What I've got in my own is slightly different as I generate
eduPersonAffiliation first and then and use that as the source for
eduPersonScopedAffiliation, so what I have is:
<resolver:AttributeDefinition id="eduPersonAffiliation"
xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="SAML1String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:eduPersonAffiliation" />
<resolver:AttributeEncoder xsi:type="SAML2String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
friendlyName="eduPersonAffiliation" />
<Script> <![CDATA[
//here is a bit of script that does
eduPersonAffiliation.getValues().add("staff"); etc based on the first
character of an LDAP attribute
]]>
</Script>
</resolver:AttributeDefinition>
//and then I use the eduPersonAffiliation attribute I made above to
populate eduPersonScopedAffiliation
<resolver:AttributeDefinition id="eduPersonScopedAffiliation"
xsi:type="Scoped" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
scope="dundee.ac.uk">
<resolver:Dependency ref="eduPersonAffiliation" />
<resolver:AttributeEncoder xsi:type="SAML1ScopedString"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
/>
<resolver:AttributeEncoder xsi:type="SAML2ScopedString"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
friendlyName="eduPersonScopedAffiliation" />
</resolver:AttributeDefinition>
By doing it using a script I don't have to store values, member, staff,
student anywhere. They're inferred from other things I've already got
in the directory.
Cheers
Andy
***********************************************
*************
Please consider the environment. Do you really need to print this
email?
The University of Dundee is a registered Scottish charity, No: SC015096
|