Versions Compared

Old Version 14

changes.mady.by.user Christian Sprajc

Saved on

compared with

New Version 15

changes.mady.by.user Christian Sprajc

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Shibboleth.AttributePowerFolder.FieldPurposeExternal links

Shib-Session-ID

-(info) Must be set for authenticating a valid Shibboleth session

persistent-id or uniqueID

Account.shibbolethPersistentID(info) Persistent external ID for retrieving/matching an existing PowerFolder account

eduPersonPrincipalName or

eppn or EPPN

Account.username(info) Persistent, external, unique username for retrieving an existing account

mail or email

Account.emails

(info) Email address(es) of user. Multiple mail address should be separated by

; (semicolon). Matches existing PowerFolder accounts unless turned off in config:

shibboleth.accounts.match_email=false

scopedUsername or

bwScopedUsername

Account.username

Persistent, external, unique username for retrieving an existing account

(warning) Obsolete. Will be removed in the future

 

givenName

Account.firstnameGiven name of the user

surname or sn

 Account.surnameSurname of the user

o or

(attribute name as in config)

organizationName

Account.organization and

Account.custom2 (if unmapped)

Organization (name) of user.

Auto-creates organizations within PowerFolder unless turned off in config:

shibboleth.create.organizations=false

Organization attribute name can be alternated by config:

shibboleth.organizations.attribute=customOrgAttrib

affiliation or

eduPersonScopedAffiliation

 Account.custom1 Affiliation of user
(attribute names as in config)Account.custom2

Free mapping field. Not mapped by default. Use configuration entry to set mapping

(warning) (info) Available since 10.5

 
(attribute names as in config)Account.custom3

Free mapping field. Not mapped by default. Use configuration entry to set mapping

(warning)(info) Available since 10.5

 
(attribute names as in config)Account.expirationDate

Free mapping field. Not mapped by default. Use configuration entry to set mapping

(warning) (info) Available since 10.5. Format: Unix timestamp or yyyyMMddHHmmss

Example: 20161231235959

entitlement or

eduPersonEntitlement

-

Must match the entitlement value if set in PowerFolder config:

shibboleth.entitlement=http://example.entitlement

(by default no entitlement value is set, which means disabled entitlement check)

(info) The entitlement attribute is optional and should only be set, if it's sent/used by the IdP.

scopedUsername or

bwScopedUsername

Account.username

Persistent, external, unique username for retrieving an existing account

(warning) Not longer mapped by default since 10.5. To remap use attribute configuration

 
REMOTE_USERAccount.username(question) (warning) Obsolete? . Persistent external username for retrieving an account. 

Example web request with attributes

Code Block
titleHeaders of request GET to /login/shibboleth:
HTTP_Shib-Identity-Provider: https://idptest.scc.kituniversity.edu/idp/shibboleth
HTTP_o: organization
REMOTE_USER: zz9999@kitzz9999@university.edu
HTTP_entitlement: http://idm.org/entitlement/organization-PowerFolder
HTTP_Shib-Session-ID: _01309f0985d68b0168d6ad702abc7222
HTTP_Shib-Authentication-Method: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Host: pf01.organizationuniversity.netedu:8080
HTTP_Shib-Authentication-Instant:
2015-09-22T13:32:32.084Z
HTTP_givenName: Hank
HTTP_persistent-id: https://idp.organizationuniversity.netedu/idp/shibboleth!https://powerfolder.organizationuniversity.netedu/sp!4OTxOV/aW/40nA3nKt7PHNm8CW0=
HTTP_sn: Moody
HTTP_Shib-AuthnContext-Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
HTTP_Shib-Session-Index: _33f3332851e83f64498e764555fd9d3f
HTTP_Shib-Application-ID: default
HTTP_mail: hank.moody@kitmoody@university.edu
HTTP_eppn: zz9999@kitzz9999@university.edu
HTTP_affiliation: employee@organizationemployee@university.netedu;member@organizationmember@university.netedu