Passing attributes to testshib two

Wynne, David D.Wynne at ljmu.ac.uk
Tue Nov 20 11:24:42 EST 2012 

First thanks to everyone who helped with my Windows AD authentication. It is working now.

I'm trying to send an attribute tt testshib two but I'm not sure if it's working. I thought it would appear in the

Shibboleth-protected TestShib Content

But it doesn't. The attribute is defined in attribute-resolver.xml:

Shibboleth-protected TestShib Content

        <resolver:AttributeDefinition
                id="eduPersonScopedAffiliation"
                xsi:type="Script"
                xmlns="urn:mace:shibboleth:2.0:resolver:ad" >

                <resolver:Dependency ref="myLDAP" />

                    <resolver:AttributeEncoder
                        xsi:type="SAML1String"
                        xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                        name="urn:mace:dir:attribute-def:eduPersonScopedAffiliat
ion"/>

                <resolver:AttributeEncoder
                        xsi:type="SAML2String"
                        xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                        name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
                        friendlyName="eduPersonScopedAffiliation"/>
                <Script>
                        <![CDATA[
                                importPackage(Packages.edu.internet2.middleware.
shibboleth.common.attribute.provider);
                                eduPersonScopedAffiliation = new BasicAttribute(
"eduPersonScopedAffiliation");
                                dn = distinguishedName.getValues().get(0).toLowe
rCase();
                                if (dn.contains("ou=staff")) {
                                        eduPersonScopedAffiliation.getValues().a
dd("staff");
                                } else if (dn.contains("ou=student")) {
                                        eduPersonScopedAffiliation.getValues().a
dd("student");
                                } else {
                                        eduPersonScopedAffiliation.getValues().a
dd("member");
                                }
                        ]]>
                </Script>
        </resolver:AttributeDefinition>

And in attribute-filter.xml:


        <afp:AttributeFilterPolicy id="releaseBasicAttributesToAnyone">
                <afp:PolicyRequirementRule xsi:type="basic:ANY" />

                <afp:AttributeRule attributeID="eduPersonScopedAffiliation">
                    <afp:PermitValueRule xsi:type="basic:ANY" />
                </afp:AttributeRule>

    </afp:AttributeFilterPolicy>


But in the idp-process.log is says Removing attribute eduPersonScopedAffiliation ?

ring.provider.ShibbolethAttributeFilteringEngine:109] - Attribute eduPersonScopedAffiliation has 1 values after filtering
16:02:21.377 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:114] - Filtered attributes for
principal cmsdwynn.  The following attributes remain: [transientId, eduPersonScopedAffiliation]
16:02:21.378 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provi
der.ShibbolethSAML2AttributeAuthority:215] - Encoded attribute eduPersonScopedAffiliation with encoder of type edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2StringAttributeEncoder
16:02:21.379 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSA
MLProfileHandler:528] - Removing attribute eduPersonScopedAffiliation, it can not be encoded via edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder
      <saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
16:02:21.425 - INFO [Shibboleth-Audit:989] - 20121120T160221Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_17f555f56a5a1d4c0f8002ec042c9314|https://sp.testshib.org/shibboleth-sp|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://java.cms.livjm.ac.uk/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_347d7854e5a6550ac3fea58c03741402|cmsdwynn|urn:oasis:names:tc:SAML:2.0:ac:classes
:PasswordProtectedTransport|transientId,eduPersonScopedAffiliation,|_72da3968a255614eb5d7a94fb808c4de||





Dave Wynne
Senior Technical Officer
School Of Computing & Maths
James Parsons Building
Liverpool John Moores University
Byrom Street
Liverpool L3 3AF


________________________________
Important Notice: the information in this email and any attachments is for the sole use of the intended recipient(s). If you are not an intended recipient, or a person responsible for delivering it to an intended recipient, you should delete it from your system immediately without disclosing its contents elsewhere and advise the sender by returning the email or by telephoning a number contained in the body of the email. No responsibility is accepted for loss or damage arising from viruses or changes made to this message after it was sent. The views contained in this email are those of the author and not necessarily those of Liverpool John Moores University.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20121120/adac7693/attachment-0001.html

More information about the users mailing list