[log in to unmask]" type="cite">

El 14/06/13 21:52, Cantor, Scott escribió:

[log in to unmask]" type="cite">

Probably there is some check in the home institution to determine
whether the user is actually authorized to access the eduroam service,
but AFAIK, that information is not provided to the visited institution.

That would be the missing piece, then.

Of course this mapping could be based on the entitlement attribute, for
example. Degree students could be mapped to the "students" account, PhD
students to the "phds" one, and professors to the "professors" one. I
was just trying to simplify the idea.

It simplifies it for you, but not for me (the IdP operator). It's your network, so it really should be your policy, not mine.

On the other hand, my first intention was to map the User-Name RADIUS
attribute (insted of the SAML one) to the local username, but I was
unable to.

That definitely works, so your RADIUS attributes were off in some way, or there'd be logging indicating a problem with the extraction.

Hello Scott,

I've tried adding all the following lines to attribute-map.xml (only one at the time, of course), but none of them map the radius-1 attribute.  The first one is supposed to the be right one.

<GSSAPIAttribute name="urn:ietf:params:gss-eap:radius-avp urn:x-radius:1" id="radius-1"/>
<GSSAPIAttribute name="urn:ietf:params:gss:radius-attribute 1" id="radius-1" />
<Attribute name="urn:ietf:params:gss:radius-attribute 1" id="radius-1" />
<Attribute name="urn:ietf:params:gss-eap:radius-avp urn:x-radius:1" id="radius-1" />

Do you have any hints on this?

[log in to unmask]" type="cite">
Best regards,
Alejandro

[log in to unmask]" type="cite">

-- Scott