> Probably there is some check in the home institution to determine
> whether the user is actually authorized to access the eduroam service,
> but AFAIK, that information is not provided to the visited institution.
That would be the missing piece, then.
> Of course this mapping could be based on the entitlement attribute, for
> example. Degree students could be mapped to the "students" account, PhD
> students to the "phds" one, and professors to the "professors" one. I
> was just trying to simplify the idea.
It simplifies it for you, but not for me (the IdP operator). It's your network, so it really should be your policy, not mine.
> On the other hand, my first intention was to map the User-Name RADIUS
> attribute (insted of the SAML one) to the local username, but I was
> unable to.
That definitely works, so your RADIUS attributes were off in some way, or there'd be logging indicating a problem with the extraction.
-- Scott
|