uhEmail

MACE-Dir LISTSERV list discussions

The Internet2 MACE-Dir LISTERV list has discussed this attribute in the past and is again discussing it as of Sep 2015. The proposal for an attribute named institutionalUserMailAddress that matches what is described herein was ultimately rejected a few years back by the list membership. That discussion included an additional attributed called institutionalUserMailAddressPrior.

The purpose of the new UH Email Address attribute is to address issues developers are having with the current multi-value attribute. The first occurrence of that attribute might yield the anticipated UH email address, or the first.last UH email address, or, on occasion, a 3rd-party email address.

For the purpose of the SAML SSO protocol provided by our UH Login Shibboleth IdP, the OID that will be provided for uhEmail is that of the "mail" attribute, 0.9.2342.19200300.100.1.3.

When service providers want an email attribute they generally expect an attribute based on the SAML name "0.9.2342.19200300.100.1.3". This "mail" attribute is an old attribute, and is potentially multi-valued. However, in our experience, most SPs do not actually handle a multi-valued "mail" attribute gracefully because they expect a single canonical value. Furthermore, when there is actually more than one value for "mail" available, there is no particular order imposed on the returned values, so this potentially leads to further issues for the SP since there is no reliable method to pick a specific address out of an unordered set.

uhEmail provides the canonical single-valued email address for UH, so we map it to the expected OID for a mail attribute rather than the private OID used internally for uhEmail.