Issues releasing Static Attributes with IdP 2.3.4
Dan McLaughlin
dmclaughlin at tech-consortium.com
Wed Nov 2 21:22:39 GMT 2011
Since 2.1.5 we've defined and released Static Attributes. Today we
upgraded one of our IDP's from 2.3.3 to 2.3.4 and all of the Static
Attributes are no longer being released by the IdP. If I enable debug
logging I can see the Attribute Filter process the attribute, but
that's the last I see mention of the Static Attribute anywhere in the
logs. I diff'd our config files looking for typos between 2.3.3 and
2.3.4 there is no difference (that I could find), and if I put 2.3.3
back it starts releasing the attributes again. This leads me to
believe there has been some change in 2.3.4 that is affecting the
release of Static Attributes. Has anyone else seen issue releasing
static attributes in IdP 2.3.4?
Here is an example of how we are releasing static attributes...
#################
attribute-resolver.xml
#################
<!-- Static Attribute Definition -->
...
<resolver:AttributeDefinition id="AgencyID" xsi:type="ad:Simple"
sourceAttributeID="MyStaticAttribute"> <resolver:Dependency
ref="MYSTATICDC" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String"
name="MyStaticAttribute" friendlyName="MyStaticAttribute" />
</resolver:AttributeDefinition>
...
<!-- Static Data Connectors -->
<resolver:DataConnector id="MYSTATICDC" xsi:type="dc:Static">
<dc:Attribute id="MyStaticAttribute">
<dc:Value>1234</dc:Value>
</dc:Attribute>
</resolver:DataConnector>
##############
attribute-filter.xml
##############
<afp:AttributeFilterPolicy id="releaseToAnyone">
<afp:PolicyRequirementRule xsi:type="basic:ANY" />
...
<afp:AttributeRule attributeID="MyStaticAttribute">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
Here is the process log for the IdP showing the MyStaticAttribute
passing the permit value rule, but that's the last time you ever see
mention of it again.
15:27:49.965 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:71]
- shibboleth.AttributeFilterEngine filtering 7 attributes for
principal myuser
15:27:49.965 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130]
- Evaluating if filter policy releaseToAnyone is active for principal
myuser
15:27:49.965 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:139]
- Filter policy releaseToAnyone is active for principal myuser
15:27:49.965 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163]
- Processing permit value rule for attribute uid for principal myuser
15:27:49.965 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163]
- Processing permit value rule for attribute email for principal
myuser
15:27:49.965 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163]
- Processing permit value rule for attribute HexGUID for principal
myuser
15:27:49.965 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163]
- Processing permit value rule for attribute givenName for principal
myuser
15:27:49.965 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163]
- Processing permit value rule for attribute surname for principal
myuser
15:27:49.965 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163]
- Processing permit value rule for attribute telephoneNumber for
principal myuser
15:27:49.965 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163]
- Processing permit value rule for attribute MyStaticAttribute for
principal myuser
15:27:49.965 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130]
- Evaluating if filter policy releaseTransientIdToAnyone is active for
principal myuser
15:27:49.965 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:139]
- Filter policy releaseTransientIdToAnyone is active for principal
myuser
15:27:49.965 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163]
- Processing permit value rule for attribute transientId for principal
myuser
15:27:49.965 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109]
- Attribute uid has 1 values after filtering
15:27:49.965 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109]
- Attribute email has 1 values after filtering
15:27:49.965 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109]
- Attribute telephoneNumber has 1 values after filtering
15:27:49.965 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109]
- Attribute HexGUID has 1 values after filtering
15:27:49.965 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109]
- Attribute transientId has 1 values after filtering
15:27:49.965 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109]
- Attribute surname has 1 values after filtering
15:27:49.965 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109]
- Attribute givenName has 1 values after filtering
15:27:49.965 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:114]
- Filtered attributes for principal myuser. The following attributes
remain: [uid, email, telephoneNumber, HexGUID, transientId, surname,
givenName]
15:27:49.985 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:499]
- Creating attribute statement in response to SAML request
'_192837412983471298347129847' from relying party
'https://www.mydomain.com/shibboleth'
15:27:49.995 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:215]
- Encoded attribute uid with encoder of type
edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2ScopedStringAttributeEncoder
15:27:49.995 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:215]
- Encoded attribute email with encoder of type
edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2StringAttributeEncoder
15:27:49.995 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:215]
- Encoded attribute telephoneNumber with encoder of type
edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2StringAttributeEncoder
15:27:49.995 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:215]
- Encoded attribute HexGUID with encoder of type
edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2StringAttributeEncoder
15:27:49.995 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:226]
- Attribute transientId was not encoded because no
SAML2AttributeEncoder was attached to it.
15:27:49.995 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:215]
- Encoded attribute surname with encoder of type
edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2StringAttributeEncoder
15:27:49.995 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:215]
- Encoded attribute givenName with encoder of type
edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2StringAttributeEncoder
15:27:50.005 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:509]
- Filtering out potential name identifier attributes which can not be
encoded by edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder
--
Thanks,
Dan McLaughlin
More information about the users
mailing list