Skip to Content.
Sympa Menu

metadata-support - Re: [Metadata-Support] attribute scope in IDP metadata

Subject: InCommon metadata support

List archive

Re: [Metadata-Support] attribute scope in IDP metadata

Chronological Thread 
  • From: "Cantor, Scott" <>
  • To: "" <>
  • Subject: Re: [Metadata-Support] attribute scope in IDP metadata
  • Date: Sat, 15 Feb 2014 02:01:09 +0000
  • Accept-language: en-US

On 2/14/14, 7:56 PM, "Andrew Morgan"
>Unfortunately, our central identity usernames do not match the vanity
>email addresses assigned in the domain. In fact, there
>are clashes between usernames and email addresses (that are not the same
>person). We could still release EPPN as
> but
>it would not be a valid email address.

An EPPN is not formally an email address. If you're saying none of your
email addresses is, then there is at least no ambiguity.
If you're saying you have cases where such addresses exist, and even worse
that they may not actually belong to the person whose username is the
email alias, that would be a disaster.

It's also very bad if you reassign EPPNs.

You will still have problems integrating with many large vendors by using
EPPNs that are not email addresses, but those vendors often will accept or
even prefer email addresses as identifiers instead of EPPN, and email is
not a scoped attribute (and those vendors don't use Shibboleth and have no
filtering of scope in any case).

-- Scott

Archive powered by MHonArc 2.6.16.

Top of Page