如何从 Shibboleth 身份验证系统获取电子邮件地址

发布于 2024-12-17 14:06:47 字数 246 浏览 0 评论 0原文

我有一个使用电子邮件地址进行用户身份验证的应用程序。

我知道一些大学使用 Shibboleth 进行用户身份验证,我想知道从用于 Shibboleth 的大学数据库中读取电子邮件的过程是什么。请注意,我不关心通过 Shibboleth 进行身份验证,我需要能够读取电子邮件地址。

对于所有使用 Shibboleth 的大学来说这是通用的,还是每所大学都有独特的情况?

有没有关于如何执行此过程的文档?

I have an application that uses email addresses for user authentication.

I know that some universities use Shibboleth for user authentication, and I was wondering what the process is for being able to read emails from the university database that is used for Shibboleth. Note that I do not care about authentication through Shibboleth, I only need to be able to read the email addresses.

Is it general for all universities that use Shibboleth, or is each a unique case?

Is there any documentation on how to do this process?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

瀞厅☆埖开 2024-12-24 14:06:47

Shibboleth 可以配置为(IdP 端)发布用户属性以及身份验证数据,例如用户的电子邮件地址。客户端,假设您要使用 shibd,您需要在 attribute-map.xml 中进行设置,表示“将具有 OID xyza 的属性映射到环境变量” USERMAIL”,然后您将在该环境变量中获得结果。示例配置应该已经包含它。

这对于每个人来说都是一样的,因为“电子邮件”的 OID 始终相同,但您必须与 IdP(大学)或其联盟协商,以便他们实际上将该属性发布给您。

Shibboleth can be configured (IdP-side) to release user attributes along with authentication data, for example the user's email address. Client-side, assuming you're going though shibd, you'll need a setting in your attribute-map.xml that says "map attribute with OID x.y.z.a to environment variable USERMAIL" and then you get the result in that environment variable. The example config should already contain it.

This would be the same for everybody insofar as the OID for "email" is always the same, but you'd have to negotiate with the IdPs (universities) or their federations so that they will actually release that attribute to you.

走过海棠暮 2024-12-24 14:06:47

Shibboleth 被许多机构使用,但绝不是全部。许多人使用雅典、代理或 IP 识别等。

据我所知,用户的电子邮件地址并不直接与 Shib 系统绑定。当用户尝试访问受 Shibboleth 保护的资源时,他们会被带到其机构的登录页面以进行身份​​验证。他们可能会输入电子邮件地址进行身份验证,也可能会输入用户名,可能会根据 IP 地址或其他内容自动登录。

成功登录后,该机构确实会通过 Shib 数据传输发回隶属关系,例如 [email protected ] 但这不一定是电子邮件用于登录的用户地址。我想他们可以发送该信息,但它尚未在我开发的系统中使用。

Shibboleth 通常用于检查用户是否来自已购买受保护资源访问权限的机构,而不是识别该机构的特定用户,因此不需要用户的电子邮件。

不确定这是否有帮助: http:// /middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200806.html#eduPersonAffiliation

Shibboleth is used by many institutions, but by no means all. Many use Athens, proxies or IP recognition, among other things.

As far as I am aware, a user's email address is not tied directly to the Shib system. When a user tries to access a Shibboleth-protected resource they are taken to their institution's login page to authenticate themselves. They might enter their email address to authenticate or they might enter a username, they might be auto logged-in based on their IP address, or something else.

The institution does send back an affiliation through Shib data transfer upon successful login, something like [email protected] but this is not necessarily the email address the user used to login. I guess they could send that but it has not been used in system's I've worked on.

Shibboleth is commonly used to check that the user is from an institution that has purchased access to a protected resource rather than identifying a particular user from that institution so the user's email isn't needed.

Not sure if this helps at all: http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200806.html#eduPersonAffiliation

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文