Versions Compared

Old Version 2

changes.mady.by.user Patrick Engbert

Saved on

compared with

New Version Current

changes.mady.by.user Patrick Engbert

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Whether or not a SAML Identity Provider Metadata XML file is provided by the client administrator, SAML Attribute information is needed. If the Identity Provider already provides InCommon eduPerson Protocol-Level Attribute Names then the well-known attribute names for first name, last name, user name and email information are automatically used. Otherwise Swank will need SAML Protocol-Level Attribute Names that contain information for:

...

Any user that cannot have their role determined is not allowed to log into Streaming Server. Roles can be determined by an exact match of text to a SAML Protocol-Level Attribute Name and a partial match to an attribute value. Here's an example using eduPersonScopedAffiliation or eduPersonEntitlement, but you can match to any SAML Protocol-Level Attribute Name in the same way for your Streaming Server portal.

User

UUser Role

Partial matching text

FriendlyName

Protocol-Level Attribute Name

Attribute Value

Basic User Role

employee@

eduPersonScopedAffiliation

urn:oid:1.3.6.1.4.1.5923.1.1.1.9

staff@school.edu;
employee@school.edu;
member@ school.edu

Instructor User Role

Microscope

eduPersonEntitlement

urn:oid:1.3.6.1.4.1.5923.1.1.1.7

urn:mace:school.edu:confocalMicroscope

No User Role (no access)

Notfound

eduPersonScopedAffiliation

urn:oid:1.3.6.1.4.1.5923.1.1.1.9

staff@school.edu;
employee@school.edu;
member@ school.edu

Table 1: Attributes for user roles

Basic and User Roles

Anchor
_Toc14436535
_Toc14436535
When a user is being authenticated as a Basic or User role, it is not necessary to send the SAML attributes identifying their first name, last name, user name, or email address.

...

When a user is being authenticated as the Instructor or Admin role, it is required that the Identity Provider sends a SAML attribute for email address (urn:oid:0.9.2342.19200300.100.1.3) and a SAML attribute for at least one of first name (urn:oid:2.5.4.42), last name (urn:oid:2.5.4.4), or user name (urn:oid:2.16.840.1.113730.3.1.241).

Attribute Description

Friendly Name

Protocol-Level Attribute Name

Attribute Value

First name

givenName

urn:oid:2.5.4.42

Rick

Last name

Sn

urn:oid:2.5.4.4

Sanchez

User name (displayed in upper right corner)

displayName (uses sn + givenName if missing displayName)

urn:oid:2.16.840.1.113730.3.1.241

Rick Sanchez

Email

Mail

urn:oid:0.9.2342.19200300.100.1.3

rsanchez@school.edu

Table 2: Attribute examples

Non-Standard SAML Attributes

If the Identity Provider uses Protocol-Level Attribute Names other than those listed above (givenName = urn:oid:2.5.4.42, etc.), the Streaming Server can work with it. Just provide your account manager with a list of the Protocol-Level Attribute Names that your Identity Provider uses to describe first name, last name, user name, and email.