An open discussion list for topics related to the eduGAIN interfederation service.

[Sten Aus <sten.aus AT eenet.ee>]

Hi

Thank you all for your fast and very good feedback!
I think the most effective solution would be dynamic creation with simpleSAMLphp (which they are using).

Best regards
Sten

On 14/12/2017 14:14, Peter Schober wrote:

Hi Sten,

TL;DR: What Davide said. I'll just expand a bit on that.

* Sten Aus <sten.aus AT eenet.ee> [2017-12-14 10:46]:

I wanted to ask if some of you know (or can ask) how your IdPs
handle eduPerson schema in their Active Directory Services?

I don't think /any/ of our institutions extended their LDAP schema in
order to join and fully interoperate within the federation. (Well, I
did that myself, back when I was running Univie's LDAP and Shibboleth
infrastructure, but that was because I wanted to make use of these
data structures also within the institution via LDAP, not just SAML.)

E.g. here's our documentation on how to create the most common
attributes used in eduID.at and eduGAIN, and *none* of these require
the addition of the eduPerson (or any other) schema to your LDAP DSA:
https://wiki.univie.ac.at/display/federation/IDP+3+Attribute+resolution

If I understand correctly eduPerson is not supported "out of the
box" in AD schema?

It's certainly not included in the products as shipped by M$. It
should work just fine, though, if you manage to find a current version
of it that's in a format you can feed to AD:

MACE-Dir (the curator of the eduPerson schema) depends on community
contributions to keep the collected schemas up to date and this is not
the case with the MS-AD format, it seems:
https://spaces.internet2.edu/display/macedir/LDIFs
https://spaces.internet2.edu/display/macedir/Active+Directory+eduPerson
(Current is 201602, cf. http://macedir.org/specs/eduperson/ )

But again, you'll only need this if you decided you want to make use
of those data structures via LDAP / within your MS-AD system.

Cheers,
-peter