Discussed in this thread - http://shibboleth.1660669.n2.nabble.com/Questions-about-making-Shibboleth-IdP-Windows-Installer-easier-to-deploy-searchFilter-useStartTLS-Ho-td7633230.html

Assuming Shibboleth IdP Windows Installer users are going to go the route of using Active Directory (AD) as the LDAP source for their Shibboleth IdP, then it would be useful if idp.attribute.resolver.LDAP.searchFilter= used sAMAccountName rather than uid. This appears to already happened for idp.authn.LDAP.userFilter= already.

Proposing an improvement to replace this;

idp.attribute.resolver.LDAP.searchFilter= (uid=$resolutionContext.principal)

with this as part of either the Windows MSI installer, or other Shibboleth installer (The discussion with Rod and Scott also mentioned whether this should be considered in a cross-platform context.)

{{
idp.attribute.resolver.LDAP.searchFilter=(sAMAccountName=$resolutionContext.principal)}}

Thanks,

• Jon Agland, UK federation team, Jisc