I'm forwarding the following question I received from an SP, which I'd appreciate a view on:
"My follow-up question: we've seen that users can have multiple 'roles'
within a certain scope (e.g. within the eduPersonScopedAffiliation attribute), such as:
<Attribute xmlns:typens="urn:mace:shibboleth:1.0"
AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
<AttributeValue Scope="foo.ac.uk"
xsi:type="typens:AttributeValueType">student</AttributeValue>
<AttributeValue Scope="foo.ac.uk"
xsi:type="typens:AttributeValueType">member</AttributeValue>
</Attribute>
***Do you know if we'll ever see a user that exists within multiple scopes?***
For example, a user that comes across to us as:
<AttributeValue Scope="mmu.ac.uk1"
xsi:type="typens:AttributeValueType">student</AttributeValue>
<AttributeValue Scope="foo.ac.uk1"
xsi:type="typens:AttributeValueType">member</AttributeValue>
<AttributeValue Scope="foo.ac.uk2"
xsi:type="typens:AttributeValueType">member</AttributeValue>
From an XML perspective this seems allowable -- is it permissible within an IdP to your knowledge?"
Thanks,
Ross
-------------------------------------------
Ross MacIntyre T: +44(0)161-275-7181
Mimas Service Manager F: +44(0)161-275-6071
Kilburn Building M: +44(0)778-095-6424
The University of Manchester
Oxford Road
Manchester M13 9PL U.K.
Email: [log in to unmask]
Skype: ross.macintyre
-------------------------------------------
|