Problems extracting attributes
Peter Schober
peter.schober at univie.ac.at
Fri Feb 1 07:46:38 EST 2013
* Rayene Ben Rayana <rayene.benrayana at gmail.com> [2013-02-01 13:18]:
> The SP is actually working with many other IDPs from the same federation.
> The IDP has also been tested with other resources from the federation with
> success.
There is no guesswork involved at the IdP: The IdP has the logfiles
which (at least with the Shibboleth IdP) detail which attribute have
been released.
> The syslog below shows that
> 1 / no attributes are pushed during SSO (do you confirm ?)
Yes, the SAML assertion does not contain an attribute statement.
> 2 / the attribute resolution fails... This is because there's no
> "AttributeAuthorityDescriptor" in the IDP's metadata (see
> discussion<https://lists.internet2.edu/sympa/arc/shibboleth-users/2009-06/msg00040.html>
> ).
Indeed RENATER does not have an AttributeAuthority for this entity.
> Any idea on how to solve this issue ?
Well, the IdP did not send an attribute statement during SSO.
So they should fix that and start sending one.
If both parties suport SAML2 -- as is obvious from the log -- I
wouldn't mess with attribute queries. If the IdP is Shibboleth adding
attribute queries also wouldn't change anything, it still wouldn't
release anything during a query what it wouldn't have pushed during
SSO.
-peter
More information about the users
mailing list