如何从 Shibboleth 身份验证系统获取电子邮件地址
我有一个使用电子邮件地址进行用户身份验证的应用程序。
我知道一些大学使用 Shibboleth 进行用户身份验证,我想知道从用于 Shibboleth 的大学数据库中读取电子邮件的过程是什么。请注意,我不关心通过 Shibboleth 进行身份验证,我仅需要能够读取电子邮件地址。
对于所有使用 Shibboleth 的大学来说这是通用的,还是每所大学都有独特的情况?
有没有关于如何执行此过程的文档?
I have an application that uses email addresses for user authentication.
I know that some universities use Shibboleth for user authentication, and I was wondering what the process is for being able to read emails from the university database that is used for Shibboleth. Note that I do not care about authentication through Shibboleth, I only need to be able to read the email addresses.
Is it general for all universities that use Shibboleth, or is each a unique case?
Is there any documentation on how to do this process?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
Shibboleth 可以配置为(IdP 端)发布用户属性以及身份验证数据,例如用户的电子邮件地址。客户端,假设您要使用
shibd
,您需要在attribute-map.xml
中进行设置,表示“将具有 OID xyza 的属性映射到环境变量” USERMAIL”,然后您将在该环境变量中获得结果。示例配置应该已经包含它。这对于每个人来说都是一样的,因为“电子邮件”的 OID 始终相同,但您必须与 IdP(大学)或其联盟协商,以便他们实际上将该属性发布给您。
Shibboleth can be configured (IdP-side) to release user attributes along with authentication data, for example the user's email address. Client-side, assuming you're going though
shibd
, you'll need a setting in yourattribute-map.xml
that says "map attribute with OID x.y.z.a to environment variable USERMAIL" and then you get the result in that environment variable. The example config should already contain it.This would be the same for everybody insofar as the OID for "email" is always the same, but you'd have to negotiate with the IdPs (universities) or their federations so that they will actually release that attribute to you.
Shibboleth 被许多机构使用,但绝不是全部。许多人使用雅典、代理或 IP 识别等。
据我所知,用户的电子邮件地址并不直接与 Shib 系统绑定。当用户尝试访问受 Shibboleth 保护的资源时,他们会被带到其机构的登录页面以进行身份验证。他们可能会输入电子邮件地址进行身份验证,也可能会输入用户名,可能会根据 IP 地址或其他内容自动登录。
成功登录后,该机构确实会通过 Shib 数据传输发回隶属关系,例如 [email protected ] 但这不一定是电子邮件用于登录的用户地址。我想他们可以发送该信息,但它尚未在我开发的系统中使用。
Shibboleth 通常用于检查用户是否来自已购买受保护资源访问权限的机构,而不是识别该机构的特定用户,因此不需要用户的电子邮件。
不确定这是否有帮助: http:// /middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200806.html#eduPersonAffiliation
Shibboleth is used by many institutions, but by no means all. Many use Athens, proxies or IP recognition, among other things.
As far as I am aware, a user's email address is not tied directly to the Shib system. When a user tries to access a Shibboleth-protected resource they are taken to their institution's login page to authenticate themselves. They might enter their email address to authenticate or they might enter a username, they might be auto logged-in based on their IP address, or something else.
The institution does send back an affiliation through Shib data transfer upon successful login, something like [email protected] but this is not necessarily the email address the user used to login. I guess they could send that but it has not been used in system's I've worked on.
Shibboleth is commonly used to check that the user is from an institution that has purchased access to a protected resource rather than identifying a particular user from that institution so the user's email isn't needed.
Not sure if this helps at all: http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200806.html#eduPersonAffiliation