metadata-support - Re: [Metadata-Support] attribute scope in IDP metadata
Subject: InCommon metadata support
List archive
- From: Tom Scavo <>
- To:
- Subject: Re: [Metadata-Support] attribute scope in IDP metadata
- Date: Fri, 14 Feb 2014 20:10:02 -0500
Hi Andy,
On Fri, Feb 14, 2014 at 7:56 PM, Andrew Morgan
<>
wrote:
> I'm working through the details to submit my IDP's metadata to InCommon. In
> the Federation Manager, I have been looking at the IDP Metadata Wizard.
>
> Do I have to use the Wizard or can I submit my Shibboleth idp-metadata.xml
> file directly somewhere?
That file is not an accurate representation of your IdP's metadata,
I'm afraid. In any case, the answer is: all we have is the Wizard.
There is no way currently to submit raw XML.
> The wizard auto-populates the Attribute Scope value with "oregonstate.edu",
> which is the same as I have configured in Shibboleth's idp-metadata.xml. If
> I am asserting that scope in my metadata, what happens if I release EPPN
> with the scope of a sub-domain?
Invariably, the SP will not accept such an ePPN.
> For example, will SPs accept my EPPN as
> ""?
> Must the scope of EPPN match the scope in my
> metadata?
Yes, precisely, and normally you would set your scope to oregonstate.edu.
> The "Scope in Metadata" page at:
>
> https://spaces.internet2.edu/display/InCFederation/Scope+in+Metadata
Thank you for reading that page :-)
> says:
>
> "After receiving a scoped attribute, some SP software can be
> configured to compare the asserted scope to the scope value(s) in
> metadata. The scoped attribute is accepted by such an SP if and only if
> the asserted scope matches a scope value in metadata."
>
> Unfortunately, our central identity usernames do not match the vanity email
> addresses assigned in the @oregonstate.edu domain. In fact, there are
> clashes between usernames and email addresses (that are not the same
> person). We could still release EPPN as
> "",
> but it
> would not be a valid email address.
Well, that's not a requirement. It's easier for everyone in some
respects if the two are the same but that is by no means required.
> I hope to work towards resolving these
> namespace issues in the future, but I need to publish our IDP metadata soon.
I look forward to that as well :-)
> Any guidance you can provide is welcome!
You don't get two chances with Scope. Pick the right one the first
time. Changing midstream will be painful.
Hope this helps,
Tom
- [Metadata-Support] attribute scope in IDP metadata, Andrew Morgan, 02/14/2014
- Re: [Metadata-Support] attribute scope in IDP metadata, Tom Scavo, 02/14/2014
- Re: [Metadata-Support] attribute scope in IDP metadata, Cantor, Scott, 02/14/2014
- Re: [Metadata-Support] attribute scope in IDP metadata, Andrew Morgan, 02/17/2014
- Re: [Metadata-Support] attribute scope in IDP metadata, Cantor, Scott, 02/17/2014
- Re: [Metadata-Support] attribute scope in IDP metadata, Tom Scavo, 02/18/2014
- Re: [Metadata-Support] attribute scope in IDP metadata, Cantor, Scott, 02/17/2014
- Re: [Metadata-Support] attribute scope in IDP metadata, Andrew Morgan, 02/17/2014
Archive powered by MHonArc 2.6.16.