Passing attributes to testshib two

Kevin P. Foote kpfoote at iup.edu
Tue Nov 20 11:29:39 EST 2012 

David .. Looks like you are creating the attribute correctly if your IdP
is suppressing the relase anyway.. :)

Now you have to verify that the attribute-filter.xml is releasing the attribute
to the SP .. (testshib) in your case.

You will want to set up a rule following the guidance on the wiki.. 

https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAddAttributeFilter

------
thanks
  kevin.foote

On Tue, 20 Nov 2012, Wynne, David wrote:

-> First thanks to everyone who helped with my Windows AD authentication. It is working now.
-> 
-> I'm trying to send an attribute tt testshib two but I'm not sure if it's working. I thought it would appear in the
-> 
-> Shibboleth-protected TestShib Content
-> 
-> But it doesn't. The attribute is defined in attribute-resolver.xml:
-> 
-> Shibboleth-protected TestShib Content
-> 
->         <resolver:AttributeDefinition
->                 id="eduPersonScopedAffiliation"
->                 xsi:type="Script"
->                 xmlns="urn:mace:shibboleth:2.0:resolver:ad" >
-> 
->                 <resolver:Dependency ref="myLDAP" />
-> 
->                     <resolver:AttributeEncoder
->                         xsi:type="SAML1String"
->                         xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
->                         name="urn:mace:dir:attribute-def:eduPersonScopedAffiliat
-> ion"/>
-> 
->                 <resolver:AttributeEncoder
->                         xsi:type="SAML2String"
->                         xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
->                         name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
->                         friendlyName="eduPersonScopedAffiliation"/>
->                 <Script>
->                         <![CDATA[
->                                 importPackage(Packages.edu.internet2.middleware.
-> shibboleth.common.attribute.provider);
->                                 eduPersonScopedAffiliation = new BasicAttribute(
-> "eduPersonScopedAffiliation");
->                                 dn = distinguishedName.getValues().get(0).toLowe
-> rCase();
->                                 if (dn.contains("ou=staff")) {
->                                         eduPersonScopedAffiliation.getValues().a
-> dd("staff");
->                                 } else if (dn.contains("ou=student")) {
->                                         eduPersonScopedAffiliation.getValues().a
-> dd("student");
->                                 } else {
->                                         eduPersonScopedAffiliation.getValues().a
-> dd("member");
->                                 }
->                         ]]>
->                 </Script>
->         </resolver:AttributeDefinition>
-> 
-> And in attribute-filter.xml:
-> 
-> 
->         <afp:AttributeFilterPolicy id="releaseBasicAttributesToAnyone">
->                 <afp:PolicyRequirementRule xsi:type="basic:ANY" />
-> 
->                 <afp:AttributeRule attributeID="eduPersonScopedAffiliation">
->                     <afp:PermitValueRule xsi:type="basic:ANY" />
->                 </afp:AttributeRule>
-> 
->     </afp:AttributeFilterPolicy>
-> 
-> 
-> But in the idp-process.log is says Removing attribute eduPersonScopedAffiliation ?
-> 
-> ring.provider.ShibbolethAttributeFilteringEngine:109] - Attribute eduPersonScopedAffiliation has 1 values after filtering
-> 16:02:21.377 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:114] - Filtered attributes for
-> principal cmsdwynn.  The following attributes remain: [transientId, eduPersonScopedAffiliation]
-> 16:02:21.378 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provi
-> der.ShibbolethSAML2AttributeAuthority:215] - Encoded attribute eduPersonScopedAffiliation with encoder of type edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2StringAttributeEncoder
-> 16:02:21.379 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSA
-> MLProfileHandler:528] - Removing attribute eduPersonScopedAffiliation, it can not be encoded via edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder
->       <saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
-> 16:02:21.425 - INFO [Shibboleth-Audit:989] - 20121120T160221Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_17f555f56a5a1d4c0f8002ec042c9314|https://sp.testshib.org/shibboleth-sp|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://java.cms.livjm.ac.uk/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_347d7854e5a6550ac3fea58c03741402|cmsdwynn|urn:oasis:names:tc:SAML:2.0:ac:classes
-> :PasswordProtectedTransport|transientId,eduPersonScopedAffiliation,|_72da3968a255614eb5d7a94fb808c4de||
-> 
-> 
-> 
-> 
-> 
-> Dave Wynne
-> Senior Technical Officer
-> School Of Computing & Maths
-> James Parsons Building
-> Liverpool John Moores University
-> Byrom Street
-> Liverpool L3 3AF
-> 
-> 
-> ________________________________
-> Important Notice: the information in this email and any attachments is for the sole use of the intended recipient(s). If you are not an intended recipient, or a person responsible for delivering it to an intended recipient, you should delete it from your system immediately without disclosing its contents elsewhere and advise the sender by returning the email or by telephoning a number contained in the body of the email. No responsibility is accepted for loss or damage arising from viruses or changes made to this message after it was sent. The views contained in this email are those of the author and not necessarily those of Liverpool John Moores University.
->

More information about the users mailing list