[log in to unmask]"
type="cite">
Probably there is some check in the home institution to determine
whether the user is actually authorized to access the eduroam service,
but AFAIK, that information is not provided to the visited institution.
That would be the missing piece, then.
Of course this mapping could be based on the entitlement attribute, for
example. Degree students could be mapped to the "students" account, PhD
students to the "phds" one, and professors to the "professors" one. I
was just trying to simplify the idea.
It simplifies it for you, but not for me (the IdP operator). It's your network, so it really should be your policy, not mine.
On the other hand, my first intention was to map the User-Name RADIUS
attribute (insted of the SAML one) to the local username, but I was
unable to.
That definitely works, so your RADIUS attributes were off in some way, or there'd be logging indicating a problem with the extraction.
Hello Scott,