* Colleen Romero <[log in to unmask]> [2011-05-31 13:37]:
> I've been experimenting with using a Shibboleth IdP and SP in a
> private federation. I am able to successfully authenticate against
> my IdP, but the SP is not picking up the scoped-affiliation
> attribute. It seems that the attribute is being blocked by the
> saml:AttributeScopeMatchesShibMDScope rule in attribute-policy.xml
> on the SP.
(Sounds more like a question for the shibboleth-users list?)
Without knowing any specifics about your situation it might be because
of a scope value that is not registered in the IdP's metadata (to
prevent an IdP from issuing attributes scoped to another institution)
or an affiliation value that is not part of the controlled vocabulary
from the eduPerson standard (which is enforced by the SP).
Did you look at your log files (transaction.log, shibd.log)?
Turning up the log level for those logs will most certainly give you
the reason. The documentation or the community supporting that
software will tell you how.