Scoped eppn question

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Scoped eppn question

Bryan Wooten

I will try and keep this short.

 

We set up our first Docker SP (and my team’s first SP) to front Grouper. We are mostly a CAS shop but we want (internal team) to start moving to pure SAML.

 

Our IDP returns scoped eppn but our Grouper instance wants unscoped for our Grouper subjectID filter. (We had success with CAS for SSO)

 

Is there a way to define unscoped eppn for any given SP? Either on the IDP side or SP side?

 

I know, I know this horse has been beaten to death but my google foo is failing.

 

Thanks,

 

Bryan


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Scoped eppn question

Greg Haverkamp
On Mon, Jan 13, 2020 at 2:19 PM Bryan Wooten <[hidden email]> wrote:

Our IDP returns scoped eppn but our Grouper instance wants unscoped for our Grouper subjectID filter. (We had success with CAS for SSO)

 

Is there a way to define unscoped eppn for any given SP? Either on the IDP side or SP side?


ePPN is scoped by definition.  The simplest answer is that you just need an unscoped attribute like uid.  (I don't know how many folks federate their Grouper installations across authentication realms, so I'm not sure how far beyond the simple case one needs to worry.)


Greg

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Scoped eppn question

Robert Bradley
On 13/01/2020 23:32, Greg Haverkamp wrote:

> On Mon, Jan 13, 2020 at 2:19 PM Bryan Wooten <[hidden email]> wrote:
>
>> Our IDP returns scoped eppn but our Grouper instance wants unscoped for
>> our Grouper subjectID filter. (We had success with CAS for SSO)
>>
>>
>>
>> Is there a way to define unscoped eppn for any given SP? Either on the IDP
>> side or SP side?
>>
>
> ePPN is scoped by definition.  The simplest answer is that you just need an
> unscoped attribute like uid.  (I don't know how many folks federate their
> Grouper installations across authentication realms, so I'm not sure how far
> beyond the simple case one needs to worry.)
>
> The Grouper wiki has some documentation:
> https://spaces.at.internet2.edu/display/Grouper/Authentication+to+the+Grouper+UI
>

Another option would be to descope the eppn on the SP side.  Something
like the "Descoping eduPersonPrincipalName" section on
https://help.it.ox.ac.uk/shibboleth/shibsp-apache-howto should work,
assuming you change the stripped scope to match your IdP.  (This has the
advantage over uid that eppn values from other IdPs remain as-is.)

--
Dr Robert Bradley
Identity and Access Management Team, IT Services, University of Oxford
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]