Attributes being removed from SAML1 Service Provider because they cannot be encoded.

Khanna, Sumit (khannast) khannast at ucmail.uc.edu
Tue Aug 2 18:16:38 BST 2011


Sorry, I'm a little confused. So using SAML1, are SPs supposed to pull
attributes via the backchannel (is pushing not supported at all in SAML1?) I
contacted support for NIH (the SP) and was told "our federation product is
CA siteminder and this is not capable of pulling SAML1 attributes through
backchannel."

I was also a little confused because they required the following attributes
to be released:

urn:mace:dir:attribute-def:eduPersonPrincipalName,
urn:mace:dir:attribute-def:mail, urn:mace:dir:attribute-def:sn,
urn:mace:dir:attribute-def:givenName, urn:oid:1.3.6.1.4.1.5923.1.1.1.6

In our attribute-resolver, we have all the urn:mace.. for the SAML1String
and SAML1XMLObject types and we use the OID for all the SAML2 types. The OID
1.3.6.1.4.1.5923.1.1.6 already represents the eduPersonPrincipalName, so I
asked why it was included twice and was told:

>> Our product also cannot parse the attribute
>> urn:mace:dir:attribute-def:eduPersonPrincipalName as there is a scope
>> parameter attached to it so the new attribute
>> urn:oid:1.3.6.1.4.1.5923.1.1.1.6 was designed by shibb developers which
has
>> the value of scope as in-line. 
>>
>> The specific requirement for the shibb IPDs is to release the attribute
>> urn:oid:1.3.6.1.4.1.5923.1.1.1.6 to use our service provider.

I'm kinda lost here. Do I define a new parameter as a SAML1String using the
OID and how do I push those attributes via SAML1?

Sumit


-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On
Behalf Of Arjuna Scagnetto
Sent: Tuesday, August 02, 2011 11:58 AM
To: Shib Users
Subject: Re: Attributes being removed from SAML1 Service Provider because
they cannot be encoded.


with the word "problem" I mean something that doesn't make thing works as we
want.

For sure in my case it was a misconfiguration, not a shibboleth idp software
problem.

sorry for the misunderstanding.

Arjuna

On 02/08/2011 17.41, Cantor, Scott E. wrote:
> On 8/2/11 11:34 AM, "Arjuna Scagnetto" <ascagnetto at units.it> wrote:
> 
>> I've seen exactly the same problem some weeks ago.
> 
> There is no problem, that's the point.
> 
> If the SP isn't getting the data you want it to, it isn't because of 
> those DEBUG messages or because a transient identifier isn't released. 
> That SP doesn't query for attributes, so you have to push them, at 
> which point the NameID doesn't matter.
> 
> -- Scott
> 
> --
> To unsubscribe from this list send an email to 
> users-unsubscribe at shibboleth.net
--
To unsubscribe from this list send an email to
users-unsubscribe at shibboleth.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5989 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20110802/e010a1b2/attachment.bin 


More information about the users mailing list