Shibboleth Identity Provider attribute mapping
Mapping the local user schema to the Edugate schema can be a trivial or complex task depending on the complexity of the local schema and how close or dissimilar both schemas are.
LDAP directories that use the inetOrgPerson and Person schemas will provide a simple mapping for some of the Edugate's schema attributes. For example, the common LDAP attributes, givenName, sn and mail can be simply mapped to the equivalent Edugate attributes as they are both from the same parent schemas (inetOrgPerson and Person).
The eduPersonPrincipalName, eduPersonTargetedID, eduPersonScopedAffiliation and eduPersonEntitlement attributes can be more complex to map as they not found in many organisations local schema. As an example, consider the ficticious institution 'University of Mullingar' (www.um.ie), if the campus durectory at UM used the inetOrgPerson attribute employeeType to denote a users role at UM (having values of STU for students and STF for staff), this would need to be mapped into the eduPersonScopedAffiliation value email@example.com and firstname.lastname@example.org. This may be further complicated if UM treats postgraduate students studying for a Research Postgraduate Degree as staff, while postgraduates on taught programmes as students, and the employeeType value PGRAD offers no distinction between either type of postgraduate.
Example complex mappings
- Reading the value of a custom attribute to decide if a post graduate students should be classed as staff or students.
- Taking for first half of an email address or data from the StoredID database to build an ID for later use
- Fallback routine to build and email address if the mail LDAP attribute is empty
- Strip out the value of CN from a DN to buld an ID
- Aggregating attributes to build up eduPersonScopedAffiliation attribute