On 2/26/14, 7:45 AM, "Sami Silén" <[log in to unmask]> wrote:
>
>And yes your thoughts were helpful even it raises many questions, should
>we really consider other ways than eppn. Currently eppn just is the only
>feasible attribute available for mapping.
I would note that the Shibboleth SP can query a second Attribute Authority
using SAML using any attribute you want to build on top of, so you don't
have to link using EPPN if you prefer to use something else, and you have
some kind of web-based portal to establish the link.
With respect to a local LDAP, obviously you could stand up a Shibboleth
IdP or other AA implementation to front-end the LDAP for SAML queries, or
alternatively somebody is welcome to build a resolver plugin for the SP
that just does LDAP natively without the SAML in between. I am not fluent
in LDAP, nor do I have any idea what LDAP library would be the best option
to use, or I would have done one at some point. I'm happy to maintain it
going forward if it's contributed by somebody else.
-- Scott
|