Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: mention attribute release

...

As for the common-lib-terms eduPersonEntitlement value: If your attribute definition for the eduPersonEntitlement is up-to-date with this documentation it should already contain a mapping from the library-walk-in affiliation to the common-lib-terms entitlement value. Otherwise just bring your local eduPersonEntitlement attribute definition in line with our documentation. (wink)

Release the affiliation attribute

Follow the examples from our Library Services documentation, specifically the attribute filter policy with an id="LibrarySPsScopedAffiliation" takes care of releasing the eduPersonScopedAffiliation attribute with the "library-walk-in" value created above.

Prevent any further attribute lookup and release

In order to make sure no other data is being resolved for the surrogate user (and later possibly also released to services) add the folowing bean to /opt/shibboleth-idp/conf/global.xml (anywhere within the enclosing beans XML element) so that it can later be referenced from the attribute resolver and NameID configuration. (This will evaluate to true whenever the IDP is dealing with a real authenticated subject, not with the with the library-walk-in surrogate.)

...