Hi,
We currently run a federated 1.3 SP and I was wondering if you could map multiple attributes to one header. The scenario we happened to stumble on, is that certain IdPs are sending us urn based ePPN and other are sending us oid based ePPN. We need to map ePPN to REMOTE_USER. What I ended up doing in the AAP is posted below.
<AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Scoped="true" Header="REMOTE_USER" Alias="user">
<AnySite>
<Value Type="regexp">^[^@]+$</Value>
</AnySite>
</AttributeRule>
<AttributeRule Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" Scoped="true" Header="REMOTE_USER" Alias="user2">
<SiteRule Name="Some entityID">
<Value Type="regexp">^[^@]+$</Value>
</SiteRule>
</AttributeRule>
This ends up working but it is not very scalable since we would have to add a new SiteRule for each IdP sending us an oid based ePPN in this scenario. Even if we flipped it around, the same thing would have to occur for urn based ePPN.
We plan on upgrading to a 2.1 SP very soon, so if nothing can be done on a 1.3 SP is there anything that can be done on a 2.1 SP.
Thanks
Warren
You may want to talk with the IdP as well. They probably shouldn't be
using the OID naming scheme for SAML 1 messages. That was something
that was introduced with SAML 2 so it's unlikely that any SAML 1 system
is going to "just support" that.
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad....@switch.ch, http://www.switch.ch
Why can't you use AnySite for your OID-based ePPN? Will there be any specific IdPs that would send OID in ePPN and yet not being accepted/mapped to remote user? I would have thought that both OID-based and URN-based could simply be using AnySite.
Bruc
Yes, you're just imposing site-specific rules without any reason to do so.
But the OID-based version of EPPN is defined for SAML 1.1 as long as you don't define it as a scoped attribute to the old SP. If you do that, it will fail. Using the OID is how you express that the IdP can't support our XML syntax for scopes, and flattens the string. Otherwise the IdP should use the original attribute name.
-- Scott
You follow the profiles defined for the Shibboleth community unless you're forced to work around something.
> We are dealing with v1.3 SPs and some on v2.1. We are planning to upgrade
> ourselves, from IdP 1.3 to 2.1.
If you follow the attribute profiles published, the right things will happen regardless of the version.
> Is it the recommended approach then?
Yes. When you run into a broken SAML 1.1 SP, you can release the OID-named version of EPPN to that SP and not affect any of the others.
-- Scott