...
Every SP-authenticated principal will be given the role ShibbolethAuthN. Additionally the attribute called "affiliation" will be queried and its values used as roles. Hence if a user logged in via the SP and the following attributes were provided
eppn : "
jdoe"affiliation : "
member@example.org", "student@example.org"
The session would be have the REMOTE_USER variable set to be "jdoe" (assuming that the default settings) and the following roles:
...