InCommon metadata support

[Andrew Morgan <>]

I'm working through the details to submit my IDP's metadata to InCommon. 
In the Federation Manager, I have been looking at the IDP Metadata Wizard.

Do I have to use the Wizard or can I submit my Shibboleth idp-metadata.xml 
file directly somewhere?

The wizard auto-populates the Attribute Scope value with 
"oregonstate.edu", which is the same as I have configured in Shibboleth's 
idp-metadata.xml.  If I am asserting that scope in my metadata, what 
happens if I release EPPN with the scope of a sub-domain?  For example, 
will SPs accept my EPPN as ""?  Must the scope 
of EPPN match the scope in my metadata?

The "Scope in Metadata" page at:

  https://spaces.internet2.edu/display/InCFederation/Scope+in+Metadata

says:

  "After receiving a scoped attribute, some SP software can be
  configured to compare the asserted scope to the scope value(s) in
  metadata. The scoped attribute is accepted by such an SP if and only if
  the asserted scope matches a scope value in metadata."

Unfortunately, our central identity usernames do not match the vanity 
email addresses assigned in the @oregonstate.edu domain.  In fact, there 
are clashes between usernames and email addresses (that are not the same 
person).  We could still release EPPN as "", but 
it would not be a valid email address.  I hope to work towards resolving 
these namespace issues in the future, but I need to publish our IDP 
metadata soon.

Any guidance you can provide is welcome!

Thanks,

Andy Morgan
Identity and Access Management
Oregon State University