diff --git a/flowspec/views.py b/flowspec/views.py
index 39baedcbe2a527743783cae4d17b9d468e0f4895..af8637daa0e0a30292dda1b4b5e0cf46817f2ec7 100644
--- a/flowspec/views.py
+++ b/flowspec/views.py
@@ -724,6 +724,34 @@ def user_profile(request):
         },
     )
 
+def get_shibboleth_attrib_info_from_settings(attrib_key, add_long_info):
+  try:
+    attrib_name = getattr(settings, attrib_key).get[0]
+  except:
+    attrib_key = attrib_key
+  try:
+    attrib_display_name = getattr(settings, attrib_key+"_DISPLAY_NAME")
+  except:
+    attrib_display_name = None
+  try:
+    attrib_display_addinfo = getattr(settings, attrib_key+"_DISPLAY_ADDINFO")
+  except:
+      attrib_display_addinfo = None
+
+  attrib_info = ""
+  if attrib_display_name != None and attrib_display_name!="":
+    attrib_info = attrib_display_name
+  else:
+    attrib_info = attrib_key # remove ^HTTP_ and then ^SHIB_
+    if attrib_info.startswith("HTTP_"):
+      attrib_info[len("HTTP_"):]
+    if attrib_info.startswith("SHIB_"):
+      attrib_info[len("SHIB_"):]
+
+  if add_long_info and attrib_display_addinfo != None and attrib_display_addinfo!="":
+    attrib_info = attrib_info+" ("+attrib_display_addinfo+")"
+
+  return attrib_info
 
 @never_cache
 def user_login(request):
@@ -742,6 +770,22 @@ def user_login(request):
         mail = lookupShibAttr(settings.SHIB_MAIL, request.META)
         entitlement = lookupShibAttr(settings.SHIB_ENTITLEMENT, request.META)
 
+        username__attrib_info1 = get_shibboleth_attrib_info_from_settings("SHIB_USERNAME", False)
+        entitlement__attrib_info1 = get_shibboleth_attrib_info_from_settings("SHIB_ENTITLEMENT", False)
+        mail__attrib_info1 = get_shibboleth_attrib_info_from_settings("SHIB_MAIL", False)
+        username__attrib_info = get_shibboleth_attrib_info_from_settings("SHIB_USERNAME", True)
+        entitlement__attrib_info = get_shibboleth_attrib_info_from_settings("SHIB_ENTITLEMENT", True)
+        mail__attrib_info = get_shibboleth_attrib_info_from_settings("SHIB_MAIL", True)
+        givenname__attrib_info = get_shibboleth_attrib_info_from_settings("SHIB_FIRSTNAME", True)
+        surname__attrib_info = get_shibboleth_attrib_info_from_settings("SHIB_LASTNAME", True)
+
+        if settings.SHIB_AUTH_ENTITLEMENT != "":
+          required_attributes_attribute_info__list = [ username__attrib_info, mail__attrib_info, entitlement__attrib_info ]
+        else:
+          required_attributes_attribute_info__list = [ username__attrib_info, mail__attrib_info ]
+
+        optional_attributes_attribute_info__list = [ givenname__attrib_info, surname__attrib_info ]
+
         if settings.SHIB_AUTH_ENTITLEMENT in entitlement.split(";"):
             has_entitlement = True
         if not has_entitlement:
@@ -749,18 +793,23 @@ def user_login(request):
         if not mail:
             error_mail = True
         if error_username:
-            error = _("Your idP should release the HTTP_EPPN attribute towards this service<br>")
+            #error = _("Your idP should release the HTTP_EPPN attribute towards this service<br>")
+            error = _("Your idP should release the "+username__attrib_info1+" attribute towards this service<br>")
         if error_entitlement:
-            error = error + _("Your idP should release an appropriate HTTP_SHIB_EP_ENTITLEMENT attribute towards this service<br>")
+            #error = error + _("Your idP should release an appropriate HTTP_SHIB_EP_ENTITLEMENT attribute towards this service<br>")
+            error = error + _("Your idP should release an appropriate "+entitlement__attrib_info1+" attribute towards this service<br>")
         if error_mail:
-            error = error + _("Your idP should release the HTTP_SHIB_INETORGPERSON_MAIL attribute towards this service")
+            #error = error + _("Your idP should release the HTTP_SHIB_INETORGPERSON_MAIL attribute towards this service")
+            error = error + _("Your idP should release the "+mail__attrib_info1+" attribute towards this service")
         if error_username or error_orgname or error_entitlement or error_mail:
             return render(
                 request,
                 'error.html',
                 {
                     'error': error,
-                    "missing_attributes": True
+                    "missing_attributes": True,
+                    "required_attributes_attribute_info__list" : required_attributes_attribute_info__list,
+                    "optional_attributes_attribute_info__list" : optional_attributes_attribute_info__list
                 },
             )
         try:
diff --git a/flowspy/settings.py.dist b/flowspy/settings.py.dist
index b82dbf1d5d7eb4a5c7b21dc83979c12c7cac8c2b..10044a321c683daebff8a1ab2fea6d9d9abdd397 100644
--- a/flowspy/settings.py.dist
+++ b/flowspy/settings.py.dist
@@ -286,14 +286,63 @@ SHIB_AUTH_ENTITLEMENT = 'urn:mace:example.com:pki:user'
 SHIB_ADMIN_DOMAIN = 'example.com'
 SHIB_LOGOUT_URL = 'https://example.com/Shibboleth.sso/Logout'
 
+##############################################################################
 # Shibboleth attribute map
-SHIB_USERNAME = ['HTTP_EPPN']
-SHIB_SLUGIFY_USERNAME = False
+
+# general info on these shibboleth attribute definitions:
+# *_DISPLAY_NAME and *_ADDINFO should give edugain-global names and definitions and so match definitions in /etc/shibboleth/attribute-map.xml
+# as values of the * variables (SHIB_ENTITLEMENT, SHIB_USERNAME, SHIB_MAIL, SHIB_FIRSTNAME, SHIB_LASTNAME) are in principle only host-config-local keys
+#
+# values of *_DISPLAY* are shown in edugain/login-related error messages for users; 
+# instead, the values of * variables (e.g. SHIB_ENTITLEMENT, ...) are of no use for users and just confusing!
+#
+# specifically:
+# *_DISPLAY_NAME should be a single string fully identifying the required attribute in an human-readable fashion
+# *_DISPLAY_ADDINFO should be a string and should correspondingly contain descriptions for each array element of the value of the * variable
+
+# e.g. for SHIB_ENTITLEMENT = "HTTP_ENTITLEMENT" => 
+# 
+# key in /etc/shibboleth/attribute-map.xml is "entitlement":
+#    <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
+#    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"-->
+
+SHIB_ENTITLEMENT = ['HTTP_SHIB_EP_ENTITLEMENT'] # value in settings.py.dist
+#SHIB_ENTITLEMENT = ['HTTP_ENTITLEMENT']
+SHIB_ENTITLEMENT_DISPLAY_NAME = "eduPersonEntitlement"
+SHIB_ENTITLEMENT_DISPLAY_ADDINFO = "urn:oid:1.3.6.1.4.1.5923.1.1.1.7; the value of this attribute also has to include 'urn:mace:example.com:pki:user'"
+#SHIB_ENTITLEMENT_DISPLAY_ADDINFO = "urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
+
+# (";"-separated) part of value of attribute with key SHIB_ENTITLEMENT needed in order to be considered a valid user:
+# if SHIB_AUTH_ENTITLEMENT is empty no constraint on SHIB_ENTITLEMENT attribute value is enforced (can even be missing)
+SHIB_AUTH_ENTITLEMENT = 'urn:mace:example.com:pki:user'
+#SHIB_AUTH_ENTITLEMENT = '' # is also in settings_local.py so override it there
+
+SHIB_USERNAME = ['HTTP_EPPN'] # in settings.py.dist # originally used for SHIB_USERNAME
+SHIB_USERNAME_DISPLAY_NAME = "eduPersonPrincipalName"
+SHIB_USERNAME_DISPLAY_ADDINFO = "urn:mace:dir:attribute-def:eduPersonPrincipalName or urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
+#SHIB_USERNAME = ['HTTP_PERSISTENT_ID']
+#SHIB_USERNAME_DISPLAY_NAME = "PERSISTENT_ID"
+#SHIB_USERNAME_DISPLAY_ADDINFO = "urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
+
+SHIB_SLUGIFY_USERNAME = False # value in settings.py.dist
+#SHIB_SLUGIFY_USERNAME = True
 
 SHIB_MAIL = ['mail', 'HTTP_MAIL', 'HTTP_SHIB_INETORGPERSON_MAIL']
-SHIB_FIRSTNAME = ['HTTP_SHIB_INETORGPERSON_GIVENNAME']
-SHIB_LASTNAME = ['HTTP_SHIB_PERSON_SURNAME']
-SHIB_ENTITLEMENT = ['HTTP_SHIB_EP_ENTITLEMENT']
+SHIB_MAIL_DISPLAY_NAME = "MAIL"
+SHIB_MAIL_DISPLAY_ADDINFO = "urn:mace:dir:attribute-def:mail or urn:oid:0.9.2342.19200300.100.1.3 or SHIB_INETORGPERSON_MAIL"
+
+# both optional:
+SHIB_FIRSTNAME = ['HTTP_SHIB_INETORGPERSON_GIVENNAME'] # value in settings.py.dist
+#SHIB_FIRSTNAME = ['HTTP_GIVENNAME']
+SHIB_FIRSTNAME_DISPLAY_NAME = "GIVENNAME"
+SHIB_FIRSTNAME_DISPLAY_ADDINFO = "urn:mace:dir:attribute-def:givenName or urn:oid:2.5.4.42"
+
+SHIB_LASTNAME = ['HTTP_SHIB_PERSON_SURNAME'] # value in settings.py.dist
+#SHIB_LASTNAME = ['HTTP_SURNAME']
+SHIB_LASTNAME_DISPLAY_NAME = "SURNAME"
+SHIB_LASTNAME_DISPLAY_ADDINFO = "urn:mace:dir:attribute-def:sn or urn:oid:2.5.4.4"
+
+##############################################################################
 
 # BCC mail addresses
 NOTIFY_ADMIN_MAILS = ["admin@example.com"]
diff --git a/templates/error.html b/templates/error.html
index b790bd681057dc659307bcde7c14525dbb3c7704..94e932f7070d5615f33d4b130efe40331a9211ad 100644
--- a/templates/error.html
+++ b/templates/error.html
@@ -49,16 +49,27 @@
 						{% if missing_attributes %}
 						<p>
 						{% trans "Required shibboleth attributes" %}:<br>
-						TODO:
 						<ul>
+              {% if required_attributes_attribute_info__list %}
+                {% for attribute_info in required_attributes_attribute_info__list %}
+            <li>{{ attribute_info }}</li>
+                {% endfor %}
+              {% else %}
 						<li>eduPersonPrincipalName</li>
 						<li>mail</li>
 						<li>eduPersonEntitlement</li>
+              {% endif %}
 						</ul>
 						{% trans "Optional" %}:
 						<ul>
+              {% if optional_attributes_attribute_info__list %}
+                {% for attribute_info in optional_attributes_attribute_info__list %}
+            <li>{{ attribute_info }}</li>
+                {% endfor %}
+              {% else %}
 						<li>givenName</li>
 						<li>sn</li>
+              {% endif %}
 						</ul>
 						</p>
 						{% endif %}