Subject RE: use of eduPersonEntitlement
From "Vries, Ale de (ELS-NYC)" <ale@xxxxxxxxxxxx>
Date Wed, 15 May 2013 13:25:54 +0000

Our SP _generally_ requires the eduPersonEntitlement value, but coincidentally we've been running into the issue recently that more and more IdPs in more and more federations release multiple values for that attribute. Our assumption has always been that _if_ eduPersonEntitlement is used in any given federation, then just one value will be released for any given user at any given time - not multiple. So we're now faced with implementing logic to evaluate multiple attribute values to determine which of them may be valid for access to our products - which is not a small effort because of how deeply intertwined this logic is with our (already complex) authorization logic. Pending that implementation, we have simply decided to not check for eduPersonEntitlement value _at all_ for some federations, which means that in those federations some users may be getting access to our products while in fact they shouldn't.

> -----Original Message-----
> From: Keith Hazelton [mailto:hazelton@xxxxxxxx]
> Sent: Tuesday, May 14, 2013 14:00
> To: REFeds
> Subject: [refeds] use of eduPersonEntitlement
> An email thread here has me wondering whether IdPs outside InCommon
> tend to make much use of the eduPersonEntitlement attribute.
> Any data points welcome.
>       --Keith Hazelton