Shibboleth: handle Identity Providers that provide multiple first or last names separated by semicolons in indeterminate order

[pdurbin]

At least one Identity Provider is known to sometimes provide more than one first name (givenName) separated by semicolons. From internal discussion it is believe that multiple last names (sn) are also possible.

Unfortunately, it sounds like we can not rely on the first value being the preferred one: "The IdP is going to pass back multiple values for multivalued attributes. There's no set order that I know of." So if we just always persist the first value, the user might notice that their first name keeps changing.

Hopefully not too many Identity Providers return multiple first names. For both "givenName" and "sn" Ohio State, for example, says, "The attribute is currently single-valued" at https://webauth.service.ohio-state.edu/~shibboleth/attributes.html . The Identity Provider is probably in the best position to decide which givenName is the preferred one, so it makes sense that many of them only send a single value.

[bencomp]

I suggest to explain a possibly changing name in support documents. Perhaps for Shib users, a link to the exact docs could be added below their profile name in small print: Why did my profile name change?

Or when a change is detected on login, this could be sent as a notification ("We updated your profile name with the new information we received from [your identity provider]") with a link to the doc.

[pdurbin]

Now the Shib code looks for multiple values for firstName and lastName, sorts them alphabetically, and uses the first value. At least this way users shouldn't see their name changing. And if they prefer the value that comes later in the alphabet, they can talk to their identity provider. Moving to QA.

[kcondon]

@posixeleni has a shib account with multiple names. Phil sat with her and confirmed the multi name case works as expected. Closing.