Reputation: 110073
How to obtain an email address from a Shibboleth auth system
I have an application that uses email addresses for user authentication.
I know that some universities use Shibboleth for user authentication, and I was wondering what the process is for being able to read emails from the university database that is used for Shibboleth. Note that I do not care about authentication through Shibboleth, I only need to be able to read the email addresses.
Is it general for all universities that use Shibboleth, or is each a unique case?
Is there any documentation on how to do this process?
Upvotes: 2
Views: 568
Answers (2)
Reputation: 7727
Shibboleth can be configured (IdP-side) to release user attributes along with authentication data, for example the user's email address. Client-side, assuming you're going though shibd, you'll need a setting in your attribute-map.xml that says "map attribute with OID x.y.z.a to environment variable USERMAIL" and then you get the result in that environment variable. The example config should already contain it.
This would be the same for everybody insofar as the OID for "email" is always the same, but you'd have to negotiate with the IdPs (universities) or their federations so that they will actually release that attribute to you.
Upvotes: 1
Reputation: 11080
Shibboleth is used by many institutions, but by no means all. Many use Athens, proxies or IP recognition, among other things.
As far as I am aware, a user's email address is not tied directly to the Shib system. When a user tries to access a Shibboleth-protected resource they are taken to their institution's login page to authenticate themselves. They might enter their email address to authenticate or they might enter a username, they might be auto logged-in based on their IP address, or something else.
The institution does send back an affiliation through Shib data transfer upon successful login, something like [email protected] but this is not necessarily the email address the user used to login. I guess they could send that but it has not been used in system's I've worked on.
Shibboleth is commonly used to check that the user is from an institution that has purchased access to a protected resource rather than identifying a particular user from that institution so the user's email isn't needed.
Not sure if this helps at all: http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200806.html#eduPersonAffiliation
Upvotes: 0
Related Questions
- Connect Apache OFBIZ database to website application (HTML,CSS,JS)
- Scaling phpBB?
- How can I convert a PHP application in Bluemix to use SQL Database instead of mySQL database?
- HTML Application and databases
- schemadb + ZendFramework integration for rapid database growup in development time
- What database tables does Apache Shiro require?
- can Shibboleth work directly based on oracle database and without a LDAP
- How to replace MySQL Server with Apache Derby as a PHP application database?
- Is it possible to integrate my database with a forum (SMF, phpBB) database?
- Database web application