As for the
common-lib-terms eduPersonEntitlement value: If your attribute definition for the eduPersonEntitlement is up-to-date with this documentation it should already contain a mapping from the
library-walk-in affiliation to the
common-lib-terms entitlement value. Otherwise just bring your local eduPersonEntitlement attribute definition in line with our documentation.
Follow the examples from our Library Services documentation, specifically the attribute filter policy with an id="LibrarySPsScopedAffiliation" takes care of releasing the eduPersonScopedAffiliation attribute with the "library-walk-in" value created above.
In order to make sure no other data is being resolved for the surrogate user (and later possibly also released to services) add the folowing bean to
/opt/shibboleth-idp/conf/global.xml (anywhere within the enclosing
beans XML element) so that it can later be referenced from the attribute resolver and NameID configuration. (This will evaluate to true whenever the IDP is dealing with a real authenticated subject, not with the with the library-walk-in surrogate.)