Shibboleth IdP deployment on Sunday, 11/1/2009 from 9:00am to 10:00am
We are planning a deployment of Shibboleth IdP application on 11/1/2009. This deployment should not cause any outage of IdP services.
Two major changes in this release are:
Bug Fix - Single Sign On is not working in some cases
Sequence of events that leads to this anomaly:
1. Log into an ISIS application with OASIS or QDB logon id
2. Access a Shibboleth enabled application in the same browser
User cannot to get to the application in this case. User will be forwarded to Applications list page.
This is affecting a small population of users. However there is a work around right now. User has to quit the browser, and access Shibboleth enabled application in a new browser window.
Attribute values for eduPersonAffiliation
Shibboleth delivers user's affiliation with the university via eduPersonAffiliation attribute (id is urn:mace:dir:attribute-def:eduPersonAffiliation). Currently we are asserting student and affiliate only. "student" means UCLA student and "affiliate" means those with an entry in our payroll system.
1. Assert two more values "member" "employee"
2. Redefine "affiliate" as per eduPerson schema
Definition of the assertions:
student UCLA student
employee UCLA employee
member UCLA student or UCLA employee
affiliate UCLA employee or UCOP employee or UCMerced employee
We will be asserting "affiliate" for a short period, for those with a payroll entry. This will be temporary, to ensure that Service Providers receiving this attribute will not break. We will stop asserting this value after verification with every Service Provider currently using this attribute
Please note eduPersonAffiliation is a multi valued attribute. You may receive more than one value for this attribute, depending on person's current affiliation.
Please note eduPersonScopedAffiliation is also affected. eduPersonScopedAffiliation will have same value(s) as eduPersonAffiliation, with scope attached.