Skip to end of banner
Go to start of banner

Attributes and web requests

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

Attribute mapping

(info) = Mandatory attribute to validate an shibboleth login / session.

(warning) Shibboleth attribute names are case sensitive

Shibboleth.AttributePowerFolder.FieldPurposeExternal links

Shib-Session-ID

-(info) Must be set for authenticating a valid Shibboleth session

persistent-id or uniqueID

Account.shibbolethPersistentID(info) Persistent external ID for retrieving/matching an existing PowerFolder account

eduPersonPrincipalName or

eppn or EPPN

Account.username(info) Persistent, external, unique username for retrieving an existing account

mail or email

Account.emails

(info) Email address(es) of user. Multiple mail address should be separated by

; (semicolon). Matches existing PowerFolder accounts unless turned off in config:

shibboleth.accounts.match_email=false

scopedUsername or

bwScopedUsername

Account.username

Persistent, external, unique username for retrieving an existing account

(warning) Obsolete. Will be removed in the future

 

givenName

Account.firstnameGiven name of the user

surname or sn

 Account.surnameSurname of the user

o or

(attribute name as in config)

Account.organization and

Account.custom2

Organization (name) of user.

Auto-creates organizations within PowerFolder unless turned off in config:

shibboleth.create.organizations=false

Organization attribute name can be alternated by config:

shibboleth.organizations.attribute=customOrgAttrib

affiliation or

eduPersonScopedAffiliation

 Account.custom1 Affiliation of user

entitlement or

eduPersonEntitlement

-

Must match the entitlement value if set in PowerFolder config:

shibboleth.entitlement=http://example.entitlement

(by default no entitlement value is set, which means disabled entitlement check)

(info) The entitlement attribute is optional and should only be set, if it's sent/used by the IdP.

REMOTE_USERAccount.username(question) (warning) Obsolete? Persistent external username for retrieving an account 

Example web request with attributes

Headers of request GET to /login/shibboleth:
HTTP_Shib-Identity-Provider: https://idptest.scc.kit.edu/idp/shibboleth
HTTP_o: organization
REMOTE_USER: zz9999@kit.edu
HTTP_entitlement: http://idm.org/entitlement/organization-PowerFolder
HTTP_Shib-Session-ID: _01309f0985d68b0168d6ad702abc7222
HTTP_Shib-Authentication-Method: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Host: pf01.organization.net:8080
HTTP_Shib-Authentication-Instant: 2015-09-22T13:32:32.084Z
HTTP_givenName: Hank
HTTP_persistent-id: https://idp.organization.net/idp/shibboleth!https://powerfolder.organization.net/sp!4OTxOV/aW/40nA3nKt7PHNm8CW0=
HTTP_sn: Moody
HTTP_Shib-AuthnContext-Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
HTTP_Shib-Session-Index: _33f3332851e83f64498e764555fd9d3f
HTTP_Shib-Application-ID: default
HTTP_mail: hank.moody@kit.edu
HTTP_eppn: zz9999@kit.edu
HTTP_affiliation: employee@organization.net;member@organization.net
  • No labels