Passing attributes to testshib two
Wynne, David
D.Wynne at ljmu.ac.uk
Tue Nov 20 12:00:05 EST 2012
Nate,
I'm using the default idp-metadata.xml which was created by the shibboleth-idp installer & I don't know how to change it.
Well I could just use a text editor but is that the way ?
"include that scope in the attribute value that is generated by the script"
Sorry to appear dumb but could you elaborate / give example ?
Dave
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Nate Klingenstein
Sent: 20 November 2012 16:39
To: Shib Users
Subject: Re: Passing attributes to testshib two
David,
You are indeed sending eduPersonScopedAffiliation:
16:02:21.425 - INFO [Shibboleth-Audit:989] - 20121120T160221Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_17f555f56a5a1d4c0f8002ec042c9314|https://sp.testshib.org/shibboleth-sp|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://java.cms.livjm.ac.uk/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_347d7854e5a6550ac3fea58c03741402|cmsdwynn|urn:oasis:names:tc:SAML:2.0:ac:classes<https://sp.testshib.org/shibboleth-sp|urn:mace:shibboleth:2.0:profiles:saml2:sso|https:/java.cms.livjm.ac.uk/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_347d7854e5a6550ac3fea58c03741402|cmsdwynn|urn:oasis:names:tc:SAML:2.0:ac:classes>
:PasswordProtectedTransport|transientId,eduPersonScopedAffiliation,|_72da3968a255614eb5d7a94fb808c4de||
That means it's most likely being dropped by the SP. The TestShib SP exposes its logs to the public, so we can see what's happening:
2012-11-20 11:02:05 DEBUG OpenSAML.MessageDecoder.SAML2 [23]: message from (https://java.cms.livjm.ac.uk/idp/shibboleth)
...
<saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">member</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement>
...
To be a valid eduPersonScopedAffiliation, it must use one of the controlled vocabulary (check), and it must be scoped to a domain that the IdP is authoritative for(not there). Try making sure that the metadata you uploaded to TestShib includes your domain (ljmu.ac.uk<http://ljmu.ac.uk> or livjm.ac.uk<http://livjm.ac.uk> preferred; it currently says just "ac.uk<http://ac.uk>") as a valid Scope, and then include that scope in the attribute value that is generated by the script.
Thanks,
Nate.
On 20 Nov 2012, at 16:24, "Wynne, David" <D.Wynne at ljmu.ac.uk<mailto:D.Wynne at ljmu.ac.uk>> wrote:
First thanks to everyone who helped with my Windows AD authentication. It is working now.
I'm trying to send an attribute tt testshib two but I'm not sure if it's working. I thought it would appear in the
Shibboleth-protected TestShib Content
But it doesn't. The attribute is defined in attribute-resolver.xml:
Shibboleth-protected TestShib Content
<resolver:AttributeDefinition
id="eduPersonScopedAffiliation"
xsi:type="Script"
xmlns="urn:mace:shibboleth:2.0:resolver:ad" >
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder
xsi:type="SAML1String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:eduPersonScopedAffiliat
ion"/>
<resolver:AttributeEncoder
xsi:type="SAML2String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
friendlyName="eduPersonScopedAffiliation"/>
<Script>
<![CDATA[
importPackage(Packages.edu.internet2.middleware.
shibboleth.common.attribute.provider);
eduPersonScopedAffiliation = new BasicAttribute(
"eduPersonScopedAffiliation");
dn = distinguishedName.getValues().get(0).toLowe
rCase();
if (dn.contains("ou=staff")) {
eduPersonScopedAffiliation.getValues().a
dd("staff");
} else if (dn.contains("ou=student")) {
eduPersonScopedAffiliation.getValues().a
dd("student");
} else {
eduPersonScopedAffiliation.getValues().a
dd("member");
}
]]>
</Script>
</resolver:AttributeDefinition>
And in attribute-filter.xml:
<afp:AttributeFilterPolicy id="releaseBasicAttributesToAnyone">
<afp:PolicyRequirementRule xsi:type="basic:ANY" />
<afp:AttributeRule attributeID="eduPersonScopedAffiliation">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
But in the idp-process.log is says Removing attribute eduPersonScopedAffiliation ?
ring.provider.ShibbolethAttributeFilteringEngine:109] - Attribute eduPersonScopedAffiliation has 1 values after filtering
16:02:21.377 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:114] - Filtered attributes for
principal cmsdwynn. The following attributes remain: [transientId, eduPersonScopedAffiliation]
16:02:21.378 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provi
der.ShibbolethSAML2AttributeAuthority:215] - Encoded attribute eduPersonScopedAffiliation with encoder of type edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2StringAttributeEncoder
16:02:21.379 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSA
MLProfileHandler:528] - Removing attribute eduPersonScopedAffiliation, it can not be encoded via edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder
<saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
16:02:21.425 - INFO [Shibboleth-Audit:989] - 20121120T160221Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_17f555f56a5a1d4c0f8002ec042c9314|https://sp.testshib.org/shibboleth-sp|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://java.cms.livjm.ac.uk/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_347d7854e5a6550ac3fea58c03741402|cmsdwynn|urn:oasis:names:tc:SAML:2.0:ac:classes<https://sp.testshib.org/shibboleth-sp|urn:mace:shibboleth:2.0:profiles:saml2:sso|https:/java.cms.livjm.ac.uk/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_347d7854e5a6550ac3fea58c03741402|cmsdwynn|urn:oasis:names:tc:SAML:2.0:ac:classes>
:PasswordProtectedTransport|transientId,eduPersonScopedAffiliation,|_72da3968a255614eb5d7a94fb808c4de||
Dave Wynne
Senior Technical Officer
School Of Computing & Maths
James Parsons Building
Liverpool John Moores University
Byrom Street
Liverpool L3 3AF
________________________________
Important Notice: the information in this email and any attachments is for the sole use of the intended recipient(s). If you are not an intended recipient, or a person responsible for delivering it to an intended recipient, you should delete it from your system immediately without disclosing its contents elsewhere and advise the sender by returning the email or by telephoning a number contained in the body of the email. No responsibility is accepted for loss or damage arising from viruses or changes made to this message after it was sent. The views contained in this email are those of the author and not necessarily those of Liverpool John Moores University. --
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20121120/c1be81e7/attachment-0001.html
More information about the users
mailing list