Notice for Shibboleth Users

Notice of Incorrect Attribute for Shibboleth Users

During our implementation of Simple SAML technology we received reports from our users that despite being part of the UK federation, they were not able to access to their subscribed ASE content through the SSO authentication process.

Our developers identified that this was because of a change in the original attribute i.e. if your university has changed their ID “@testuniversity.ac.uk” Our system works on Simple SAML protocol which refers to your institution's original ID.

We have been informed to instruct any libraries affected by this issue to ask their developer to configure their IDP to stop sending the following NameID attribute to ASE: eduPersonTargetedID. This should not affect any of your other service providers and has been identified as the cause for leading the login protocol to failing. Your eduPersonScopedAffiliation is set up correctly on ASE’s system.

Attributes sent per user (example):

This is a noted shibboleth-wide issue here https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTargetedID   

This link explains that some old instances of Shibboleth were configured to send plain values for the eduPersonTargetedID attribute. As the page says, this is wrong and doing it that way during early stages of Shibboleth popularization was a mistake. Even the UK federation states this regarding the attribute:

There are two ways that the ePTID can be presented, an older and all-but-deprecated form presented as a scoped attribute containing a unique identifier and the IdP's security domain (only used in SAML1), and a newer version in the form of an ordered triple (containing the unique identifier and the entityIDs of the SP and the user's organisation's IdP ), which can be used in either SAML1 or SAML2.

Source: https://www.ukfederation.org.uk/content/Documents/AttributesForAuthorization

Unfortunately the software ASE uses (SimpleSAMLphp) doesn't support this historic eduPersonTargetedID format.