...
Attribute Requirements
From the SAML-message, http://rnd.feide.no/simplesamlphp simpleSAMLphp returns the attributes in an associative array. Since the different federations implement some of the various attributes slightly differently, and not all attributes are mandatory, we cannot rely on a single namespace for this. So, to combat this, we have added a way for the NREN Administrator to assign the provided attributes to the required Confusa attributes. The required attributes are also listed, with a short description about intended usage and the consequence when it is unavailable.
...
The organization is used to find the proper maps, administrators etc. It is also added to the \DN of the certificate. The most sensible attributes to use here are eduPersonOrgDN(ePODN)
or http://rnd.feide.no/content/schachomeorganization schacHomeOrganization. Which attribute is to be used can be configured on the NREN-level and only on the NREN-level. If this attribute could be configured on the subscriber-level as well, it would be impossible for Confusa to infer to which NREN a subscriber-admin belongs. If no attribute is set, Confusa cannot sign certificates.
...
The CP/CPS requires us to notify the user about a newly issued certificate through other channels than the currently active (the web interface). We therefore need the email-address to ship a receipt to. The attribute that is used for this can be configured on NREN and subscriber level by the respective admins. A reasonable attribute is http://rnd.feide.no/attribute/mail mail. If no attribute is set, Confusa cannot sign certificates for the user.
...
The attribute mapping process (NREN)
System Requirements
We try to write distro independent code. However, subtle changes between the GNU/Linux distributions may lead to the occasional bug. Confusa is tested and should work flawlessly on the following distributions:
...