>The fallback position (which we will be using ourselves if a more general >approach is not available in time) is to select from the federation >metadata the scopes of all IdP organisations of interest. The metadata >contains both the verified name of the organisation (which can be >compared with the lists Sean Dunne mentioned) and the scope. The SP >then has to authorise based on eduPersonScopedAffiliation having one of >the selected scopes (and member, staff, student etc. as required). Fiona, Ok. I can now use either of the following solution. I now just need to create the list based on the list provided by Sean Dunne and the verified name of the organization. Both solutions work fine. The only thing which I find strange is that the member scope does not include staff or student. According to your ppt presentation (www.jisc.ac.uk/uploaded_documents/SDSS%20-%20Fiona%20Culloch.ppt), the member scope should include staff or student as well as few others ? Solution 1: require affiliation [log in to unmask] require affiliation [log in to unmask] Solution 2: <?xml version="1.0" encoding="UTF-8"?> <AccessControl xmlns="urn:mace:shibboleth:target:config:1.0"> <OR> <Rule require="affiliation">[log in to unmask]</Rule> <Rule require="affiliation">[log in to unmask]</Rule> <Rule require="affiliation">[log in to unmask]</Rule> </OR> </AccessControl> Thierry.