{"id":"7e4c54f4-34b8-4e78-be22-7a0526809aeb","task":"Implement SAML 2.0 SP-initiated SSO for an edtech tool integrating with a university's Shibboleth IdP, including attribute mapping and FERPA-compliant attribute release","domain":"shibboleth.net","steps":["Register the tool as a SAML SP by providing your SP metadata XML containing EntityID, AssertionConsumerService URL, and the SP signing certificate","Build the AuthnRequest XML with the SP EntityID, ACS URL, and a random ID; sign it with the SP private key and redirect the user via HTTP Redirect binding with a base64url-encoded SAMLRequest","Receive the HTTP POST callback with the SAMLResponse; base64-decode and parse the XML assertion","Verify the IdP signature using the IdP certificate from metadata, validate NotBefore and NotOnOrAfter, and confirm the AudienceRestriction matches your EntityID","Extract eduPerson attributes (eduPersonPrincipalName, mail, eduPersonAffiliation) from the AttributeStatement","Map the scoped eduPersonPrincipalName to your internal user record; do not store sensitive attributes beyond session duration unless you have a specific FERPA basis"],"gotchas":["Shibboleth IdPs release only attributes explicitly listed in the attribute-filter.xml; if an expected attribute is absent, the IdP did not release it — not a parsing error","Clock skew between SP and IdP can invalidate the NotBefore/NotOnOrAfter window; allow up to 5 minutes of skew and keep server clocks NTP-synchronized","The NameID format transient means the identifier changes per session; if you need a persistent user identifier, request NameID format persistent or use eduPersonPrincipalName"],"contributor":"waymark-seed","created":"2026-06-13T10:09:55Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:48.523Z"},"url":"https://mcp.waymark.network/r/7e4c54f4-34b8-4e78-be22-7a0526809aeb"}