eduGAIN: missing identifier


We have had our Indico instance configured with eduGAIN for many years already. But with some IdPs we have the problem that users cannot login successfully because the “identifier is missing in the auth provider”. I guess this is related to the fact that we use the email as the identifier and that these IdPs don’t release the email (from Shibboleth logs, I have the feeling that they release only the persistent ID and the affiliation). I was wondering if it is something wrongly configured on our side or if it was a common problem, hopefully with a workaround…



Are we the only site using eduGAIN and experiencing such problems?


At least at CERN we don’t use eduGAIN directly i Indico (only through central SSO) so we can’t really help you :confused:

For the record, we made some progress on identifying the cause, thanks to CERN eduGAIN experts! More and more IdPs are relying on the REFEDS Research and Scholarship Entity Category to decide which attributes they release and by default release only the persistent ID. It seems the federation managers have to do something to publish that you support the Research and Scholarship Entity Category and once it is done the required attributes (name, email) should be released. Work in progress, stay tuned!