Problems extracting attributes

Peter Schober peter.schober at
Fri Feb 1 07:46:38 EST 2013

* Rayene Ben Rayana <rayene.benrayana at> [2013-02-01 13:18]:
> The SP is actually working with many other IDPs from the same federation.
> The IDP has also been tested with other resources from the federation with
> success.

There is no guesswork involved at the IdP: The IdP has the logfiles
which (at least with the Shibboleth IdP) detail which attribute have
been released.

> The syslog below shows that
> 1 / no attributes are pushed during SSO (do you confirm ?)

Yes, the SAML assertion does not contain an attribute statement.

> 2 / the attribute resolution fails... This is because there's no
> "AttributeAuthorityDescriptor" in the IDP's metadata (see
> discussion<>
> ).

Indeed RENATER does not have an AttributeAuthority for this entity.

> Any idea on how to solve this issue ?

Well, the IdP did not send an attribute statement during SSO.
So they should fix that and start sending one.

If both parties suport SAML2 -- as is obvious from the log -- I
wouldn't mess with attribute queries. If the IdP is Shibboleth adding
attribute queries also wouldn't change anything, it still wouldn't
release anything during a query what it wouldn't have pushed during

More information about the users mailing list