Attribute question
Mike Flynn
shibbolethlynda at yahoo.com
Fri Nov 4 19:18:32 GMT 2011
I have a client that I recently setup for access on my SP. It looks like he is passing EPPN to me but my logs say different...
Here is my log for them:
Log for this transaction:
2011-11-04 11:15:50 INFO Shibboleth-TRANSACTION [5]: New session (ID: _e7f3db1bd9078ee667cf2c772e6c0a61) with (applicationId: default) for principal from (IdP: https://alliancetest.qualcomm.com/fed/idp) at (ClientAddress: 199.106.103.56) with (NameIdentifier: hermanw) using (Protocol: urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: id-HxVw7C7c-1DVulMiyWj7g7TTWvo-)
2011-11-04 11:15:50 INFO Shibboleth-TRANSACTION [5]: Cached the following attributes with session (ID: _e7f3db1bd9078ee667cf2c772e6c0a61) for (applicationId: default) {
2011-11-04 11:15:50 INFO Shibboleth-TRANSACTION [5]: }
SAML response that was sent to me:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://shib.lynda.com/Shibboleth.sso/SAML2/POST" ID="id-IDUafNFKGVsBiRF5BuezAHrUh-Y-" InResponseTo="_02392b3136b431ce00d20cf83a5a744a" IssueInstant="2011-11-04T18:51:26Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://alliancetest.qualcomm.com/fed/idp</saml:Issuer><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="#id-IDUafNFKGVsBiRF5BuezAHrUh-Y-"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>dts5FfUffH6YHh/pHXRVruVStdw=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>hPc8+wJVSiNK+oCSvGu/zwsfYbvOXCn0Hhs7c0HJdRS1vdQY5ABbh+T4XUfmLTkd0uLuail1hLYaz587q2IEpInU5mGjrPlOCv8fqIT2g+Aar5+WDQ/Ke2HgLsop/lvNkZ/BkSWRbKfVHgPS3sHynCzpdZQQFr3Jgm/KRRVd0cw=</dsig:SignatureValue><dsig:KeyInfo><dsig:X509Data><dsig:X509Certificate>MIIHRDCCBiygAwIBAgIKFV7yIgABAAAM7DANBgkqhkiG9w0BAQUFADCBuTELMAkGA1UEBhMCVVMxEzARBgoJkiaJk/IsZAEZFgNjb20xGDAWBgoJkiaJk/IsZAEZFghxdWFsY29tbTESMBAGCgmSJomT8ixkARkWAm5hMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTYW4gRGllZ28xETAPBgNVBAoTCFFVQUxDT01NMSswKQYDVQQDEyJJbnRlcm5hbCBTU0wgQ2VydGlmaWNhdGUgU2VydmVyIDAxMB4XDTExMDIxNTIxMzc0OVoXDTEyMTEyMTIyMDg1N1owgZsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTYW4gRGllZ28xHjAcBgNVBAoTFVF1YWxjb21tIEluY29ycG9yYXRlZDEfMB0GA1UECxMWSW5mb3JtYXRpb24gVGVjaG5vbG9neTEiMCAGA1UEAxMZYWxsaWFuY2V0ZXN0LnF1YWxj
b21tLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAubzu2ZFjehap73Zxp9gEW71veqH5HUhW6aUSQ4ZvQas0IpX0TEpPLk3qoYccxuhu0UrqKoM+JNuqEm5R+OOA6mZw5H9s8W/WFQ8WKvUTdsZAAYJLYUCMaSvV7reW9H8/8nOr4pZLKbwE3juu6LHhl/9Yqy6LgwJgxZOQDf4O5BUCAwEAAaOCA+wwggPoMB0GA1UdDgQWBBRVpOTC1x29/jIfVgn90N+LFsGt9jAfBgNVHSMEGDAWgBTGPCM9UHvasRwZE0W12xVbVOH2tTCCAVoGA1UdHwSCAVEwggFNMIIBSaCCAUWgggFBhoHfbGRhcDovLy9DTj1JbnRlcm5hbCUyMFNTTCUyMENlcnRpZmljYXRlJTIwU2VydmVyJTIwMDEoMSksQ049TkFTU0xDQTAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWNvcnAsREM9cXVhbGNvbW0sREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIZdaHR0cDovL25hc3NsY2EwMS5uYS5xdWFsY29tbS5jb20vQ2VydEVucm9sbC9JbnRlcm5hbCUyMFNTTCUyMENlcnRpZmljYXRlJTIwU2VydmVyJTIwMDEoMSkuY3JsMIIBowYIKwYBBQUHAQEEggGVMIIBkTCB0gYIKwYBBQUHMAKGgcVsZGFwOi8vL0NOPUludGVybmFsJTIwU1NMJTIwQ2VydGlmaWNhdGUlMjBTZXJ2ZXIlMjAwMSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vydml
jZXMsQ049Q29uZmlndXJhdGlvbixEQz1jb3JwLERDPXF1YWxjb21tLERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTCBgwYIKwYBBQUHMAKGd2h0dHA6Ly9uYXNzbGNhMDEubmEucXVhbGNvbW0uY29tL0NlcnRFbnJvbGwvTkFTU0xDQTAxLm5hLnF1YWxjb21tLmNvbV9JbnRlcm5hbCUyMFNTTCUyMENlcnRpZmljYXRlJTIwU2VydmVyJTIwMDEoMSkuY3J0MDQGCCsGAQUFBzAChihodHRwOi8vcGtpLnF1YWxjb21tLmNvbS9OQVNTTENBMDEoMSkuY3J0MAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgWgMD4GCSsGAQQBgjcVBwQxMC8GJysGAQQBgjcVCITHkX2Cwp1Cg+2XGoWM2y+BzfgOgSuEqbAugpLUPgIBZAIBAzAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwJwYJKwYBBAGCNxUKBBowGDAKBggrBgEFBQcDAjAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOCAQEAmIwvLNiOuIR9ky1zQHM+VEgpe6Qe5kE7E/7hzIJcWh2Nr/qy6sxtu7bjW3OPM5O/+uLkw4LVG7i/mybNkWaZpadkdgysdRwjIVncTdHGgNgvTZXqJy2Duvza9hAlzM9j5seCrrGqIANnqhCTlVLc1uc3z+0/RNHjewoF4zOUmj0clFOXeyhWiJWWWZ3GIj3QyaVfTuPVKLPNT2V3N9yUH9A/l6+eP8fN7npd/RHNzS4Q+7rlMmREv8qhqBdnfqrzClVm+0GwXTpPxVn3bQPrlAXNgjEtwRsWEH0MpU3fHkHRNJYWho4op7iKY7H5RUYaaXlGz5Tsj9gohDgKnA
/0qg==</dsig:X509Certificate></dsig:X509Data></dsig:KeyInfo></dsig:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="id-DfqB0jVhyETVEoAXG9WXtCMkobU-" IssueInstant="2011-11-04T18:51:26Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://alliancetest.qualcomm.com/fed/idp</saml:Issuer><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="#id-DfqB0jVhyETVEoAXG9WXtCMkobU-"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>9brkQTV/Rt0Yj2qETBVyZF+FCAM=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>WmwC0loQwUGME6J7RkyO/KUIkhLXa/S6NBKOjXP2CgXyZ4ixgI2S4cPdIdbAamGNWuU4AYGYtVngqyJKmUIZHHXhoFIGLFYPky96UZwA1VtU7A6g25HVYdPPJVwFa8ePk0X410Be8cRCzv9wjquPiL8kOzahHzEwmZeINJMnD6s=</dsig:SignatureValue><dsig:KeyInfo><dsig:X509Data><dsig:X509Certificate>MIIHRDCCBiygAwIBAgIKFV7yIgABAAAM7DANBgkqhkiG9w0BAQUFADCBuTELMAkGA1UEBhMCVVMxEzARBgoJkiaJk/IsZAEZFgNjb20xGDAWBgoJkiaJk/IsZAEZFghxdWFsY29tbTESMBAGCgmSJomT8ixkARkWAm5hMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTYW4gRGllZ28xETAPBgNVBAoTCFFVQUxDT01NMSswKQYDVQQDEyJJbnRlcm5hbCBTU0wgQ2VydGlmaWNhdGUgU2VydmVyIDAxMB4XDTExMDIxNTIxMzc0OVoXDTEyMTEyMTIyMDg1N1owgZsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTYW4gRGllZ28xHjAcBgNVBAoTFVF1YWxjb21tIEluY29ycG9yYXRlZDEfMB0GA1UECxMWSW5mb3JtYXRpb24gVGVjaG5vbG9neTEiMCAGA1UEAxMZYWxsaWFuY2V0ZXN0LnF1YWxj
b21tLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAubzu2ZFjehap73Zxp9gEW71veqH5HUhW6aUSQ4ZvQas0IpX0TEpPLk3qoYccxuhu0UrqKoM+JNuqEm5R+OOA6mZw5H9s8W/WFQ8WKvUTdsZAAYJLYUCMaSvV7reW9H8/8nOr4pZLKbwE3juu6LHhl/9Yqy6LgwJgxZOQDf4O5BUCAwEAAaOCA+wwggPoMB0GA1UdDgQWBBRVpOTC1x29/jIfVgn90N+LFsGt9jAfBgNVHSMEGDAWgBTGPCM9UHvasRwZE0W12xVbVOH2tTCCAVoGA1UdHwSCAVEwggFNMIIBSaCCAUWgggFBhoHfbGRhcDovLy9DTj1JbnRlcm5hbCUyMFNTTCUyMENlcnRpZmljYXRlJTIwU2VydmVyJTIwMDEoMSksQ049TkFTU0xDQTAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWNvcnAsREM9cXVhbGNvbW0sREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIZdaHR0cDovL25hc3NsY2EwMS5uYS5xdWFsY29tbS5jb20vQ2VydEVucm9sbC9JbnRlcm5hbCUyMFNTTCUyMENlcnRpZmljYXRlJTIwU2VydmVyJTIwMDEoMSkuY3JsMIIBowYIKwYBBQUHAQEEggGVMIIBkTCB0gYIKwYBBQUHMAKGgcVsZGFwOi8vL0NOPUludGVybmFsJTIwU1NMJTIwQ2VydGlmaWNhdGUlMjBTZXJ2ZXIlMjAwMSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vydml
jZXMsQ049Q29uZmlndXJhdGlvbixEQz1jb3JwLERDPXF1YWxjb21tLERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTCBgwYIKwYBBQUHMAKGd2h0dHA6Ly9uYXNzbGNhMDEubmEucXVhbGNvbW0uY29tL0NlcnRFbnJvbGwvTkFTU0xDQTAxLm5hLnF1YWxjb21tLmNvbV9JbnRlcm5hbCUyMFNTTCUyMENlcnRpZmljYXRlJTIwU2VydmVyJTIwMDEoMSkuY3J0MDQGCCsGAQUFBzAChihodHRwOi8vcGtpLnF1YWxjb21tLmNvbS9OQVNTTENBMDEoMSkuY3J0MAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgWgMD4GCSsGAQQBgjcVBwQxMC8GJysGAQQBgjcVCITHkX2Cwp1Cg+2XGoWM2y+BzfgOgSuEqbAugpLUPgIBZAIBAzAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwJwYJKwYBBAGCNxUKBBowGDAKBggrBgEFBQcDAjAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOCAQEAmIwvLNiOuIR9ky1zQHM+VEgpe6Qe5kE7E/7hzIJcWh2Nr/qy6sxtu7bjW3OPM5O/+uLkw4LVG7i/mybNkWaZpadkdgysdRwjIVncTdHGgNgvTZXqJy2Duvza9hAlzM9j5seCrrGqIANnqhCTlVLc1uc3z+0/RNHjewoF4zOUmj0clFOXeyhWiJWWWZ3GIj3QyaVfTuPVKLPNT2V3N9yUH9A/l6+eP8fN7npd/RHNzS4Q+7rlMmREv8qhqBdnfqrzClVm+0GwXTpPxVn3bQPrlAXNgjEtwRsWEH0MpU3fHkHRNJYWho4op7iKY7H5RUYaaXlGz5Tsj9gohDgKnA
/0qg==</dsig:X509Certificate></dsig:X509Data></dsig:KeyInfo></dsig:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">hermanw</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="_02392b3136b431ce00d20cf83a5a744a" NotOnOrAfter="2011-11-04T19:06:26Z" Recipient="https://shib.lynda.com/Shibboleth.sso/SAML2/POST"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2011-11-04T18:41:26Z" NotOnOrAfter="2011-11-04T19:06:26Z"><saml:AudienceRestriction><saml:Audience>https://shib.lynda.com/shibboleth-sp</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2011-11-04T18:51:25Z" SessionIndex="id-VQqkRfB6PKj04yupsqfWqt-wJJM-"
SessionNotOnOrAfter="2011-11-04T19:51:26Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><saml:Attribute Name="EPPN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">hermanw at qualcomm.com</saml:AttributeValue></saml:Attribute></saml:AttributeStatement>
</saml:Assertion></samlp:Response>
At the end of the SAML response there I can see:
<saml:Attribute Name="EPPN"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">hermanw at qualcomm.com</saml:AttributeValue></saml:Attribute>
So it *looks* like it is being passed...
Can anyone shed light on why it is not getting through?
Thanks!
(Running Shib SP 2.x on IIS7)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20111104/f5430612/attachment-0001.html
More information about the users
mailing list