Attribute mapping
= Mandatory attribute to validate an shibboleth login / session.
Shibboleth attribute names are case sensitive
| Shibboleth.Attribute | PowerFolder.Field | Purpose | External links |
|---|---|---|---|
Shib-Session-ID | - | Must be set for authenticating a valid Shibboleth session | |
persistent-id or uniqueID | Account.shibbolethPersistentID | Persistent external ID for retrieving/matching an existing PowerFolder account | |
eduPersonPrincipalName or eppn or EPPN | Account.username | Persistent, external, unique username for retrieving an existing account | |
mail or email | Account.emails |
; (semicolon). Matches existing PowerFolder accounts unless turned off in config: shibboleth.accounts.match_email=false |
scopedUsername or
bwScopedUsername
Persistent, external, unique username for retrieving an existing account
Obsolete. Will be removed in the future
givenName | Account.firstname | Given name of the user | |
surname or sn | Account.surname | Surname of the user | |
o or |
organizationName | Account.organization and Account.custom2 (if unmapped) | Organization (name) of user. Auto-creates organizations within PowerFolder unless turned off in config: shibboleth.create.organizations=falseOrganization attribute name can be alternated by config: shibboleth.organizations.attribute= |
customOrgAttrib | |
affiliation or eduPersonScopedAffiliation | Account.custom1 |
| Affiliation of user |
entitlement or
eduPersonEntitlement
Must match the entitlement value if set in PowerFolder config:
shibboleth.entitlement=http://example.entitlement
(by default no entitlement value is set, which means disabled entitlement check)
| (attribute names as in config) | Account.custom2 | Free mapping field. Not mapped by default. Use configuration entry to set mapping | |
| (attribute names as in config) | Account.custom3 | Free mapping field. Not mapped by default. Use configuration entry to set mapping | |
| (attribute names as in config) | Account.expirationDate | Free mapping field. Not mapped by default. Use configuration entry to set mapping Format: ISO 8601 or Unix timestamp or yyyyMMddHHmmss |
|
scopedUsername or bwScopedUsername | Account.username | Persistent, external, unique username for retrieving an existing account
| |
| REMOTE_USER | Account.username |
| Obsolete |
| . Persistent external |
| username for retrieving an account. |
Configuration of Shibboleth-Attribute names
| Info |
|---|
The SAML/Shibboleth-Attribute names can be configured if necessary under Preferences/Shibboleth or in configuration file. |
Example web request
...
with attributes
| Code Block | ||
|---|---|---|
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
HTTP_Shib-Identity-Provider: https://idptest. |
...
university.edu/idp/shibboleth |
...
HTTP_o: organization |
...
REMOTE_USER: |
...
zz9999@university.edu |
...
HTTP_entitlement: http://idm.org/entitlement/organization-PowerFolder |
...
HTTP_Shib-Session-ID: _01309f0985d68b0168d6ad702abc7222 |
...
Host: pf01. |
...
university. |
...
edu:8080 |
...
HTTP_givenName: Hank |
...
HTTP_persistent-id: https:// |
...
idp. |
...
university. |
...
edu/idp/shibboleth!https:// |
...
powerfolder. |
...
university. |
...
edu/sp!4OTxOV/aW/40nA3nKt7PHNm8CW0= |
...
HTTP_sn: Moody |
...
HTTP_mail: hank. |
...
moody@university.edu |
...
HTTP_eppn: |
...
zz9999@university.edu |
...
HTTP_affiliation: |
...
employee@university. |
...
edu; |
...
member@university. |
...
edu |