Multi-valued attributes - some values not encoded by IdP?

Chad La Joie lajoie at itumi.biz
Fri Aug 12 18:35:37 BST 2011 

You'll need to turn on debug logging for the resolver and filter engine.

On Fri, Aug 12, 2011 at 13:13, Phil Chapman <phil at atomwide.com> wrote:
> I'm running IdP v2.3.2 with the attribute resolver configured to use a RelationalDatabase DataConnector.  The DataConnector may return multiple rows, in which case I expect attributes released to SPs to be encoded with multiple values.  (Although if an attribute has the *same* value in one or more rows, I don't care whether the IdP sends a single instance of the value, or repeated instances of the same value.)
>
> I have a situation where three rows are returned by my DataConnector, and two of the attributes - eduPersonScopedAffiliation and Entitlement - have different values in all three rows.  The IdP is encoding all three values of Entitlement in the attribute assertion which it makes, but only the first of the three eduPersonScopedAffiliation values.  There is nothing in the debug log to suggest that eduPersonScopedAffiliation values are being discarded.  Can anyone explain why two eduPersonScopedAffiliation values are being ignored?
>
> FWIW, I'm fairly sure that all attributes were being handled correctly in the past, so this behaviour *may* have been introduced by the move to v2.3.
>
> attribute-resolver.xml contains:
>
>    <resolver:AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Prescoped" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
>        sourceAttributeID="ScopedAff">
>        <resolver:Dependency ref="SQL" />
>
>        <resolver:AttributeEncoder xsi:type="SAML1ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
>            name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" scopeType="attribute" />
>
>        <resolver:AttributeEncoder xsi:type="SAML2ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
>            name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" />
>    </resolver:AttributeDefinition>
>
>    <resolver:AttributeDefinition id="eduPersonEntitlement" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
>        sourceAttributeID="Entitlement">
>        <resolver:Dependency ref="SQL" />
>
>        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
>            name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
>
>        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
>            name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" />
>    </resolver:AttributeDefinition>
>
> I can provide an extract of idp-process.log (in DEBUG mode) if that would help.
>
> Thanks,
> Phil.
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>



-- 
Chad La Joie
www.itumi.biz
trusted identities, delivered

More information about the users mailing list