Skip to Content.
Sympa Menu

metadata-support - Re: [Metadata-Support] attribute scope in IDP metadata

Subject: InCommon metadata support

List archive

Re: [Metadata-Support] attribute scope in IDP metadata

Chronological Thread 
  • From: Andrew Morgan <>
  • To: "" <>
  • Subject: Re: [Metadata-Support] attribute scope in IDP metadata
  • Date: Mon, 17 Feb 2014 12:43:08 -0800 (PST)

On Sat, 15 Feb 2014, Cantor, Scott wrote:

On 2/14/14, 7:56 PM, "Andrew Morgan"

Unfortunately, our central identity usernames do not match the vanity
email addresses assigned in the domain. In fact, there
are clashes between usernames and email addresses (that are not the same
person). We could still release EPPN as
it would not be a valid email address.

An EPPN is not formally an email address. If you're saying none of your
email addresses is, then there is at least no ambiguity.
If you're saying you have cases where such addresses exist, and even worse
that they may not actually belong to the person whose username is the
email alias, that would be a disaster.

Unfortunately, we do have email addresses in, and they DO conflict with some of our usernames. I assume at least some of them are not the same person. We'll be looking at this closely, of course.

Do you think we should resolve this before we federate and use these EPPNs?

It's also very bad if you reassign EPPNs.

Our current usernames contain the person's last name, so we do process some username changes when a person's legal name changes (and the person requests a username change). I'd like to create future usernames that are less prone to change (such as initials+numbers).

If we continue to allow changes, should we stop reassigning old usernames to new people? I see notes about this in the discussion of eduPersonPrincipalNamePrior, but I'm interested in more real-world, practical advice of what works and what doesn't.

You will still have problems integrating with many large vendors by using
EPPNs that are not email addresses, but those vendors often will accept or
even prefer email addresses as identifiers instead of EPPN, and email is
not a scoped attribute (and those vendors don't use Shibboleth and have no
filtering of scope in any case).

Okay, thanks for all the info Scott and Tom!


Archive powered by MHonArc 2.6.16.

Top of Page