>>>>> "Stefan" == Stefan Paetow <[log in to unmask]> writes: Stefan> Ok, That's interesting. So if neither CUI nor User-Name are Stefan> set, but the authorization and authentication succeeded, Stefan> that's acceptable? Which of the two attributes is used for Stefan> local user mapping (i.e. for home directories in an SSH Stefan> context) - I assume (based on the Wiki docs) it should be Stefan> User-Name? In the case of ssh, neither. Whatever username is passed in as the service request username (-l option to ssh command) is used. The code calls gss_userok to ask the question of whether the initiator identity is permitted to log into that account. The Moonshot mechanism allows shibboleth to map whatever the administrator configures to the local-login-user shibboleth attribute. That shibboleth attribute can be used to control ssh access. --Sam