ePPN and scope

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

ePPN and scope

Mahabalagiri, Datta

One of our clients is asking us to send ePPN as a non-smart scoped attribute using its OID number as definition. They using some other SAML solution, not Shib SP.

Is it the right thing to do? I want to make sure we don’t break standards or convention by doing this. One implication I see is that SPs (who use oid notation of ePPN) will need to define this as non scoped in their AAP.xml)

 

<SimpleAttributeDefinition id="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" lifeTime="28800" sourceName="urn:mace:dir:attribute-def:eduPersonPrincipalName">

                <AttributeDependency requires="urn:mace:dir:attribute-def:eduPersonPrincipalName"/>

</SimpleAttributeDefinition>

 

urn:mace:dir:attribute-def:eduPersonPrincipalName is defined separately with a smartScope of ucla.edu. With this definition IdP delivers urn:oid:1.3.6.1.4.1.5923.1.1.1.6 as [hidden email].

 

 

Thanks,

Datta

Reply | Threaded
Open this post in threaded view
|

Re: ePPN and scope

Albert Wu



// albert

On Jan 12, 2009, at 10:49 AM, "Mahabalagiri, Datta" <[hidden email]> wrote:

One of our clients is asking us to send ePPN as a non-smart scoped attribute using its OID number as definition. They using some other SAML solution, not Shib SP.

Is it the right thing to do? I want to make sure we don’t break standards or convention by doing this. One implication I see is that SPs (who use oid notation of ePPN) will need to define this as non scoped in their AAP.xml)

 

<SimpleAttributeDefinition id="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" lifeTime="28800" sourceName="urn:mace:dir:attribute-def:eduPersonPrincipalName">

                <AttributeDependency requires="urn:mace:dir:attribute-def:eduPersonPrincipalName"/>

</SimpleAttributeDefinition>

 

urn:mace:dir:attribute-def:eduPersonPrincipalName is defined separately with a smartScope of ucla.edu. With this definition IdP delivers urn:oid:1.3.6.1.4.1.5923.1.1.1.6 as [hidden email].

 

 

Thanks,

Datta

Reply | Threaded
Open this post in threaded view
|

RE: ePPN and scope

Cantor, Scott E.
In reply to this post by Mahabalagiri, Datta
> One of our clients is asking us to send ePPN as a non-smart scoped
attribute
> using its OID number as definition. They using some other SAML solution,
not
> Shib SP.
>
> Is it the right thing to do? I want to make sure we don't break standards
or
> convention by doing this.

Yes, we profiled that attribute name in that manner in the last profiles
document for that purpose, so that people wouldn't have to hack up a fix for
every partner individually.

-- Scott