On 4/18/13 3:27 PM, "David Chadwick" <[log in to unmask]> wrote: >There are at least two solutions to this problem > >a) either the IDP sends the group and other attributes that the RP needs >(maybe it has a local mapping capability that can map from internal >attributes to externally needed ones, per RP), or >b) the RP has an attribute mapping capability that allows it to map an >input set of IDP asserted attributes into a local set of authz >attributes, or >c) both are implemented. > >Shibboleth implements the former, by sending eudPerson attributes to >SPs. We have implemented the latter in OpenStack for our cloud solution Shibboleth implements both, not just the former. -- Scott