Thanks for the hyper fast reply!
> We have a multi-valued attribute on every person in the directory,
> showing their affiliation. Our IDM drives the content of this
> - putting "member", "student", "staff", etc in as befits the person
> business rules in our IDM know which to put in).
Yes, that's pretty much what I'm planning on doing (no great
> If you have a multivalued attribute, the IdP software will release
> of the values - unless your ARP is blocking it from doing so, of
> (as you would definitely do with an entitlement value for privacy
OK, I suspected this might be the case, although the "Technical
Recommendations for Participants" document says:
"220.127.116.11 Generating and Interpreting eduPersonScopedAffiliation
It is recommended that identity providers have the ability either to
these multiple values for a given individual, or otherwise provide the
to release either value as appropriate for a particular service
example, although some service providers might require the release of
more specific student value, a different service provider that only
requires the less specific member value should only be sent the less
value. Releasing student in this case gives the service provider more
information about the user than is required, raising privacy and data
I take it that the limiting factor here is the current IdP software
which simply doesn't do this?
From what I've read, I understand that the ARP is something I can
configure on a per SP basis? I note that the Shibboleth-Athens
integration guide specifies 'Entitlement' as one of the attributes we
need to populate and supply in that case?