Passing attributes to testshib two

Nate Klingenstein ndk at internet2.edu
Tue Nov 20 11:38:47 EST 2012 

David,

You are indeed sending eduPersonScopedAffiliation:

16:02:21.425 - INFO [Shibboleth-Audit:989] - 20121120T160221Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_17f555f56a5a1d4c0f8002ec042c9314|https://sp.testshib.org/shibboleth-sp|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://java.cms.livjm.ac.uk/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_347d7854e5a6550ac3fea58c03741402|cmsdwynn|urn:oasis:names:tc:SAML:2.0:ac:classes
:PasswordProtectedTransport|transientId,eduPersonScopedAffiliation,|_72da3968a255614eb5d7a94fb808c4de||

That means it's most likely being dropped by the SP.  The TestShib SP exposes its logs to the public, so we can see what's happening:

2012-11-20 11:02:05 DEBUG OpenSAML.MessageDecoder.SAML2 [23]: message from (https://java.cms.livjm.ac.uk/idp/shibboleth)
...
<saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">member</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement>
...

To be a valid eduPersonScopedAffiliation, it must use one of the controlled vocabulary (check), and it must be scoped to a domain that the IdP is authoritative for(not there).  Try making sure that the metadata you uploaded to TestShib includes your domain (ljmu.ac.uk or livjm.ac.uk preferred; it currently says just "ac.uk") as a valid Scope, and then include that scope in the attribute value that is generated by the script.

Thanks,
Nate.

On 20 Nov 2012, at 16:24, "Wynne, David" <D.Wynne at ljmu.ac.uk> wrote:

> First thanks to everyone who helped with my Windows AD authentication. It is working now.
>  
> I'm trying to send an attribute tt testshib two but I’m not sure if it's working. I thought it would appear in the
>  
> Shibboleth-protected TestShib Content
>  
> But it doesn't. The attribute is defined in attribute-resolver.xml:
>  
> Shibboleth-protected TestShib Content
>  
>         <resolver:AttributeDefinition
>                 id="eduPersonScopedAffiliation"
>                 xsi:type="Script"
>                 xmlns="urn:mace:shibboleth:2.0:resolver:ad" >
>  
>                 <resolver:Dependency ref="myLDAP" />
>             
>                     <resolver:AttributeEncoder
>                         xsi:type="SAML1String"
>                         xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
>                         name="urn:mace:dir:attribute-def:eduPersonScopedAffiliat
> ion"/>
>  
>                 <resolver:AttributeEncoder
>                         xsi:type="SAML2String"
>                         xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
>                         name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
>                         friendlyName="eduPersonScopedAffiliation"/>
>                 <Script>
>                         <![CDATA[
>                                 importPackage(Packages.edu.internet2.middleware.
> shibboleth.common.attribute.provider);
>                                 eduPersonScopedAffiliation = new BasicAttribute(
> "eduPersonScopedAffiliation");
>                                 dn = distinguishedName.getValues().get(0).toLowe
> rCase();
>                                 if (dn.contains("ou=staff")) {
>                                         eduPersonScopedAffiliation.getValues().a
> dd("staff");
>                                 } else if (dn.contains("ou=student")) {
>                                         eduPersonScopedAffiliation.getValues().a
> dd("student");
>                                 } else {
>                                         eduPersonScopedAffiliation.getValues().a
> dd("member");
>                                 }
>                         ]]>
>                 </Script>
>         </resolver:AttributeDefinition>
>  
> And in attribute-filter.xml:
>  
>  
>         <afp:AttributeFilterPolicy id="releaseBasicAttributesToAnyone">
>                 <afp:PolicyRequirementRule xsi:type="basic:ANY" />
>  
>                 <afp:AttributeRule attributeID="eduPersonScopedAffiliation">
>                     <afp:PermitValueRule xsi:type="basic:ANY" />
>                 </afp:AttributeRule>
>  
>     </afp:AttributeFilterPolicy>
>  
>  
> But in the idp-process.log is says Removing attribute eduPersonScopedAffiliation ?
>  
> ring.provider.ShibbolethAttributeFilteringEngine:109] - Attribute eduPersonScopedAffiliation has 1 values after filtering
> 16:02:21.377 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:114] - Filtered attributes for
> principal cmsdwynn.  The following attributes remain: [transientId, eduPersonScopedAffiliation]
> 16:02:21.378 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provi
> der.ShibbolethSAML2AttributeAuthority:215] - Encoded attribute eduPersonScopedAffiliation with encoder of type edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2StringAttributeEncoder
> 16:02:21.379 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSA
> MLProfileHandler:528] - Removing attribute eduPersonScopedAffiliation, it can not be encoded via edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder
>       <saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> 16:02:21.425 - INFO [Shibboleth-Audit:989] - 20121120T160221Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_17f555f56a5a1d4c0f8002ec042c9314|https://sp.testshib.org/shibboleth-sp|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://java.cms.livjm.ac.uk/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_347d7854e5a6550ac3fea58c03741402|cmsdwynn|urn:oasis:names:tc:SAML:2.0:ac:classes
> :PasswordProtectedTransport|transientId,eduPersonScopedAffiliation,|_72da3968a255614eb5d7a94fb808c4de||
>  
>  
>  
>  
>  
> Dave Wynne
> Senior Technical Officer
> School Of Computing & Maths
> James Parsons Building
> Liverpool John Moores University
> Byrom Street
> Liverpool L3 3AF
>  
> 
> Important Notice: the information in this email and any attachments is for the sole use of the intended recipient(s). If you are not an intended recipient, or a person responsible for delivering it to an intended recipient, you should delete it from your system immediately without disclosing its contents elsewhere and advise the sender by returning the email or by telephoning a number contained in the body of the email. No responsibility is accepted for loss or damage arising from viruses or changes made to this message after it was sent. The views contained in this email are those of the author and not necessarily those of Liverpool John Moores University. --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20121120/05a0f85f/attachment-0001.html

More information about the users mailing list