[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    RE: Assigning edupersonaffiliation attribute with AD
From:       "Curry, Warren" <whcurry () ufl ! edu>
Date:       2013-04-30 14:13:21
Message-ID: A1662A4C21C69D43B65DDDAD045D4CAF4AC3E341 () UFEXCH-MBXN03 ! ad ! ufl ! edu
[Download RAW message or body]

EduPersonAffiliation should be set based on the person info and their relationship to \
your school.  

Here at UF individuals are assigned a more detailed UF affiliation in the Identity \
registry hub that we operate.    Sources of this info are:  Systems of record (HR, \
Hospital Corp HR, Student Records, and Distance Continuing Education), in addition \
other individauls are managed by identity Coordinators in our units and added via \
online interface to the registry.   

Once in the registry mapping are automatic from the UF detailed affiliation to the \
Eduperson affiliations.  Individuals can and do have multiple values for the \
EduPersonAffiliation.  

See http://identity.it.ufl.edu/identity-coordination/uf-directory-affiliations/  for \
documentation of affiliation at the University of Florida.    

The Active Directory and the Shibboleth ARP attribute store (Oracle Database)  are \
populated from the registry via a messaging interface supporting asynchronous \
updates.  

Hope this provides food for thought..   !

Good luck  

WHC



Warren H. Curry
UFIT - Identity Access Management
PO Box 113359,  2008 NE Waldo Rd
352-273-1383 

Have a great day!!!

-----Original Message-----
From: users-bounces@shibboleth.net [mailto:users-bounces@shibboleth.net] On Behalf Of \
                Rod Widdowson
Sent: Tuesday, April 30, 2013 10:03 AM
To: 'Shib Users'
Subject: RE: Assigning edupersonaffiliation attribute with AD

> How do you all assign the eduPersonAffiliation attribute to your users?
> Currently we use the following script to assign it based on 
> Organisational Unit, but this is starting to prove too limiting as we 
> have users within
the
> same OUs that I'd like to assign different edupersonaffiliation 
> attributes
to.

I know nothing of AD, but I happened to be reviewing the samples recently.
Can 

https://wiki.shibboleth.net/confluence/display/SHIB2/ResolverScriptAttribute
DefinitionExamples

Provide any help ?  In particular "generate eduPersonAffiliation based on recursive \
group membership in Active Directory" looks at memberOf() which might be interesting \
for you.


--
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
--
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net


[prev in list] [next in list] [prev in thread] [next in thread]