Hi
Thanks to both of you. John I tried what you suggested and ended up not releasing any affiliations at all much less scoped ones.
Andy you are right, it is all a bit more mixed up than that!
What I have is something more akin to what you are suggesting. I have an SQL database holding the attributes which are populating the eduPersonAffiliation so I'm hoping all I need to do is make the eduPersonAffiliation populate the scoped version, so I'm going to go back to where it releases the affiliations unscoped and then see if I can make it use that as the source for the scoped affiliation as you have suggested.
Fingers crossed.
Thanks
Heather Peake
VLE Development Co-ordinator
Tel 01623 627191 ext 8564
Please consider the environment before printing this email.
-----Original Message-----
From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Andy Swiffin
Sent: 03 August 2010 09:55
To: [log in to unmask]
Subject: Re: scoped affiliation not scoped
>>> On 03/08/2010 at 08:02, in message <[log in to unmask]>, John
Maddock
<[log in to unmask]> wrote:
> Hi Heather.
>
>> This is what I have
>> <resolver:AttributeDefinition
>> id="eduPersonAffiliation"
>...
>> <resolver:AttributeEncoder
>> xsi:type="SAML1String"
>
> This should be:
> xsi:type="SAML1ScopedString"
>
> and this:
>
>> name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" />
>> <resolver:AttributeEncoder
>> xsi:type="SAML2String"
>
> likewise:
>
> xsi:type="SAML2ScopedString"
>
>> xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
>> name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
>> friendlyName="eduPersonAffiliation" />
>
> and this:
> friendlyName="eduPersonScopedAffiliation" />
>
>> </resolver:AttributeDefinition>
>
> Regards,
> John
No, I think what Heather has is all a bit more mixed up than that,
You've got the urn:oid for eduPersonAffiliation there, you need to
change that too, also its a definition for eduPersonAffiliation not
ScopedAffiliation. Try:
<resolver:AttributeDefinition id="eduPersonScopedAffiliation"
xsi:type="Scoped"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
scope="uni.ac.uk" sourceAttributeID="eduPersonAffiliation">
<resolver:Dependency ref="MyRef" />
<resolver:AttributeEncoder xsi:type="SAML1ScopedString"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
/>
<resolver:AttributeEncoder xsi:type="SAML2ScopedString"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
friendlyName="eduPersonScopedAffiliation" />
</resolver:AttributeDefinition>
NB this is what's in the Setup2IdP reference you quoted, just changed
slightly to add your MyRef! I think something went awry in your cut and
paste, Heather!
—------
What I've got in my own is slightly different as I generate
eduPersonAffiliation first and then and use that as the source for
eduPersonScopedAffiliation, so what I have is:
<resolver:AttributeDefinition id="eduPersonAffiliation"
xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="SAML1String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:eduPersonAffiliation" />
<resolver:AttributeEncoder xsi:type="SAML2String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
friendlyName="eduPersonAffiliation" />
<Script> <![CDATA[
//here is a bit of script that does
eduPersonAffiliation.getValues().add("staff"); etc based on the first
character of an LDAP attribute
]]>
</Script>
</resolver:AttributeDefinition>
//and then I use the eduPersonAffiliation attribute I made above to
populate eduPersonScopedAffiliation
<resolver:AttributeDefinition id="eduPersonScopedAffiliation"
xsi:type="Scoped" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
scope="dundee.ac.uk">
<resolver:Dependency ref="eduPersonAffiliation" />
<resolver:AttributeEncoder xsi:type="SAML1ScopedString"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
/>
<resolver:AttributeEncoder xsi:type="SAML2ScopedString"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
friendlyName="eduPersonScopedAffiliation" />
</resolver:AttributeDefinition>
By doing it using a script I don't have to store values, member, staff,
student anywhere. They're inferred from other things I've already got
in the directory.
Cheers
Andy
***********************************************
*************
Please consider the environment. Do you really need to print this
email?
The University of Dundee is a registered Scottish charity, No: SC015096
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Awarded Outstanding (Grade 1) in all categories by OFSTED July 2008.
"Excellent employer engagement... Imaginative and highly effective approach
to social inclusion... Excellent communication, high staff morale and visionary
leadership".
To view our disclaimer please follow this link
http://www.wnc.ac.uk/emaildisclaimer
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|