"non-NameID-valued attribute" for hashed NameID
Peter Schober
peter.schober at univie.ac.at
Fri Nov 18 11:19:22 GMT 2011
On a newly installed SP on RHEL6 (64-bit, from the OBS repo ) I'm
trying to activate hashing of NameIDs in the attribute map, like I did
on other SPs. This time I see warnings in shibd.log and the value is
removed as a consequence:
2011-11-18 11:58:09 WARN Shibboleth.AttributeFilter [2]: NameIDQualifierString MatchFunctor applied to non-NameID-valued attribute (persistent-id)
2011-11-18 11:58:09 WARN Shibboleth.AttributeFilter [2]: removed value at position (0) of attribute (persistent-id) from (https://idp.example.edu/shibboleth)
2011-11-18 11:58:09 WARN Shibboleth.AttributeFilter [2]: no values left, removing attribute (persistent-id) from (https://idp.example.edu/shibboleth)
The strange thing is that with the same version of the SP (RPM
shibboleth-2.4.3-2.2) on another system (RHEL5 32-bit) the same thing
works just fine -- from the same IdP with the same principal.
The attribute filter on the IdP should treat both SPs the same, so the
same type of NameID should be released.
The config change in the attribute-map.xml in both cases simply is
adding hashAlg="md5" (or sha1) to the AttributeDecoder for the
Attribute/@name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
When I do not add hashAlg to the AttributeDecoder everything comes
though fine and looks like your ordinary NameID, decoded into
IdP-entity!SP-entity!federated-id-for-principal
On the wire (i.e., from shibd.log on DEBUG) it looks OK too:
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://idp.example.edu/shibboleth"
SPNameQualifier="https://sp.example.edu/shibboleth">g3NJuatFEzXiI0IIUxCpS/X9WbY=</saml2:NameID>
...
</saml2:Subject>
Any ideas?
-peter
More information about the users
mailing list