Attributes and web requests

Owned by Christian Sprajc
Last updated: Aug 20, 2016
1 min read

Attribute mapping

(info) = Mandatory attribute to validate an shibboleth login / session.

(warning) Shibboleth attribute names are case sensitive

Shibboleth.AttributePowerFolder.FieldPurposeExternal links

Shib-Session-ID

-(info) Must be set for authenticating a valid Shibboleth session

persistent-id or uniqueID

Account.shibbolethPersistentID(info) Persistent external ID for retrieving/matching an existing PowerFolder account

eduPersonPrincipalName or

eppn or EPPN

Account.username(info) Persistent, external, unique username for retrieving an existing account

mail or email

Account.emails

(info) Email address(es) of user. Multiple mail address should be separated by

; (semicolon). Matches existing PowerFolder accounts unless turned off in config:

shibboleth.accounts.match_email=false

givenName

Account.firstnameGiven name of the user

surname or sn

 Account.surnameSurname of the user

o or organizationName

Account.organization and

Account.custom2 (if unmapped)

Organization (name) of user.

Auto-creates organizations within PowerFolder unless turned off in config:

shibboleth.create.organizations=false

Organization attribute name can be alternated by config:

shibboleth.organizations.attribute=customOrgAttrib

affiliation or

eduPersonScopedAffiliation

 Account.custom1Affiliation of user
(attribute names as in config)Account.custom2

Free mapping field. Not mapped by default. Use configuration entry to set mapping

 
(attribute names as in config)Account.custom3

Free mapping field. Not mapped by default. Use configuration entry to set mapping

 
(attribute names as in config)Account.expirationDate

Free mapping field. Not mapped by default. Use configuration entry to set mapping

Format: ISO 8601 or Unix timestamp or yyyyMMddHHmmss

  • 2016-12-23T13:37:69.107Z
  • 20161231133769

scopedUsername or

bwScopedUsername

Account.username

Persistent, external, unique username for retrieving an existing account

(warning) Not longer mapped by default since 10.5. To remap use attribute configuration

 
REMOTE_USERAccount.username(warning) Obsolete. Persistent external username for retrieving an account. 

Configuration of Shibboleth-Attribute names

The SAML/Shibboleth-Attribute names can be configured if necessary under Preferences/Shibboleth or in configuration file.

Example web request with attributes

Headers of request GET to /login/shibboleth:
HTTP_Shib-Identity-Provider: https://idptest.university.edu/idp/shibboleth
HTTP_o: organization
REMOTE_USER: zz9999@university.edu
HTTP_entitlement: http://idm.org/entitlement/organization-PowerFolder
HTTP_Shib-Session-ID: _01309f0985d68b0168d6ad702abc7222
Host: pf01.university.edu:8080
HTTP_givenName: Hank
HTTP_persistent-id: https://idp.university.edu/idp/shibboleth!https://powerfolder.university.edu/sp!4OTxOV/aW/40nA3nKt7PHNm8CW0=
HTTP_sn: Moody
HTTP_mail: hank.moody@university.edu
HTTP_eppn: zz9999@university.edu
HTTP_affiliation: employee@university.edu;member@university.edu