JISCMail - JISC-SHIBBOLETH Archives

thanks Rod and Peter. It's the SP side of things I'm worried about. It  
will see a different attribute from eduPersonTargetedID, i.e. it'll  
see the SAML2 version. I was just wondering if that could cause  
personalisation problems at the SP, as although the value is the same,  
the name isn't and the scope is inline. I know some SPs do a bit of  
munging with ePTID to store personalisations.

Alistair


-- 
mov eax,1
mov ebx,0
int 80h




On 24 Feb 2010, at 13:58, Rod Widdowson wrote:

> Alistair,
>
> FWIW the Shib IdP explicitly handles this behaviour and you specify  
> the
> attribute name depending on whether you are doing SAML1 or SAML2.  The
> distro supplies the defaults.
>
> ePSA
> 	SAML1:
>            name="urn:mace:dir:attribute- 
> def:eduPersonScopedAffiliation"
> 	SAML2:
>            name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
> ePTID:
> 	SAML1:
>            name="urn:mace:dir:attribute-def:eduPersonTargetedID"
> 		*AND*
>            name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
> 	SAML2:
>            name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
> 		*ONLY*
> ePPN:
> 	SAML1:
>            name="urn:mace:dir:attribute-def:eduPersonPrincipalName"
> 	SAML2:
>            name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
>
> ePE:
> 	SAML1:
>            name="urn:mace:dir:attribute-def:eduPersonEntitlement"
> 	SAML2:
>            name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
>
> If you need anything else I would collect
> http://svn.middleware.georgetown.edu/view/java-idp/trunk/resources/conf/attr
> ibute-resolver.xml?view=markup&pathrev=2712 and use that as reference
>
> Hth
>
> /r
>
>> -----Original Message-----
>> From: Discussion list for Shibboleth developments [mailto:JISC-
>> [log in to unmask]] On Behalf Of Alistair Young
>> Sent: 24 February 2010 10:46
>> To: [log in to unmask]
>> Subject: Implications of SAML2
>>
>> Hi folks,
>>
>> Does anyone know of any possible access implications of broadcasting
>> support for SAML2 in IdP metadata? Most entities at the moment use
>> "shibboleth" attributes, i.e. eduPerson but these don't exist in the
>> SAML2 attribute profile. The same values are sent in different  
>> formats
>> from eduPerson.
>> Just wondering if this may have an impact on personalisations at SPs.
>>
>> thanks,
>>
>> Alistair
>>
>>
>> --
>> mov eax,1
>> mov ebx,0
>> int 80h