On 23/07/2018 14:23, Peter Schober wrote:
> FYI, 3.0.0 is a new major version of the software, not a patch.
>
Thanks I had just worked that out. Package managers do seem to be
treating it as an upgrade so it got installed automatically; while I was
on holiday of course :-(
> Technical answer to get it working again:
>
> Uncommenting that defintion (as it's now commented out by default) is
> the right change if you want to process this SAML attribute.
> Personally I'd map it to "targeted-id" (not "persistent-id", as
> above), though (and make sure there's no rule for "targeted-id"
> anymore in attribute-policy.xml), and also uncomment the Attribute
> immediately below in the new default attribute-map.xml:
>
> <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
> <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
> </Attribute>
>
> That makes sure that
>
> 1. You also accept the exact same data structure (a NameID XML
> element) when it's being sent in the Subject element of the SAML
> Assertion (not just as AttributeValue of the ePTID Attribute),
> and also
>
> 2. In case an IDP sends it in both places (sadly a recommendation that
> made its way into some old eduGAIN policy documents) mapping them to
> different internal ids will prevent both being mapping to the same id,
> with multiple (usually identical) values.
>
> Then add both to the REMOTE_USER precedence list in shibboleth2.xml so
> you don't have to care which one was sent. Just use REMOTE_USER in
> your application instead.
>
Thanks thats useful. I'm already just using REMOTE_USER
Stephen
--
======================================================================
|epcc| Dr Stephen P Booth Principal Architect |epcc|
|epcc| [log in to unmask] Phone 0131 650 5746 |epcc|
======================================================================
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
########################################################################
To unsubscribe from the JISC-SHIBBOLETH list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=JISC-SHIBBOLETH&A=1
|