IDP will not release attributes after Java resintall (most likely)

Kanuch, Andrew Andy.Kanuch at
Fri Feb 1 17:13:14 EST 2013

Thanks, Kevin.

The the applet in place the AACLI (with the following argument: bin\aacli.bat --configDir=conf/ --principal=andy.kanuch --requester=  )

Returns data for the four attributes listed in my Attribute Filter Policy :

<?xml version="1.0" encoding="UTF-8"?><saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
	<saml2:Attribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

		<saml2:AttributeValue xmlns:xs="" xmlns:xsi="" 		xsi:type="xs:string">andy.kanuch at</saml2:AttributeValue>

	<saml2:Attribute FriendlyName="eduPersonAffiliation" Name="urn:oid:" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

		<saml2:AttributeValue xmlns:xs="" xmlns:xsi="" 					xsi:type="xs:string">member</saml2:AttributeValue>

	<saml2:Attribute FriendlyName="givenName" Name="urn:oid:" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

	<saml2:AttributeValue xmlns:xs="" xmlns:xsi="" 	xsi:type="xs:string">Andrew</saml2:AttributeValue>

Which matches correctly.

Highlights from the debug (After I changed the flag and logged into Testshib again) show:

15:27:04.484 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:137] - shibboleth.AttributeResolver resolved, for principal andy.kanuch, the attributes: [eduPersonPrincipalName, eduPersonAffiliation, commonName, transientId, eduPersonScopedAffiliation, surname, givenName, eduPersonTargetedID.old, eduPersonTargetedID, title, postalCode, email, telephoneNumber, locality, stateProvince, displayName]

So it's finding the attributes, and I guess it's not a LDAP cert issue. But it also shows: )

15:27:04.484 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter policy testshibby is active for principal andy.kanuch
15:27:04.484 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:134] - Filter policy testshibby is not active for principal andy.kanuch

So, I think that means I should check my Attribute Filter Policy to make sure it's setup correctly?  I have listed it below, and I think I'm using the PermitValueRule correctly?

   <afp:AttributeFilterPolicy id="testshibby">
	<afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="" ignoreCase="true"/>

		<afp:AttributeRule attributeID="eduPersonAffiliation">
		<!-- Permit value rule that releases any value. -->
		<afp:PermitValueRule xsi:type="basic:ANY" />
		<afp:AttributeRule attributeID="givenName">
		<!-- Permit value rule that releases any value. -->
		<afp:PermitValueRule xsi:type="basic:ANY" />
		<afp:AttributeRule attributeID="eduPersonPrincipalName">
		<!-- Permit value rule that releases any value. -->
		<afp:PermitValueRule xsi:type="basic:ANY" />
		<afp:AttributeRule attributeID="eppn">
		<!-- Permit value rule that releases any value. -->
		<afp:PermitValueRule xsi:type="basic:ANY" />

The wiki only has two pages on AttributeFilterPolicy.  Are there other dependencies I might be overlooking?



-----Original Message-----
From: users-bounces at [mailto:users-bounces at] On Behalf Of Kevin P. Foote
Sent: Friday, February 01, 2013 3:21 PM
To: Shib Users
Subject: Re: IDP will not release attributes after Java resintall (most likely)

On Fri, 1 Feb 2013, Kanuch, Andrew wrote:

> My IDP( which previously worked, and is version 2.3.6 on  a Win Server 2008 R2 Box) is now no longer releasing attributes to SPs..... 
> Am I using the the AACLI tool as intended? (To see if an IDP is releasing attributes for a specific SP profile?) Maybe I reverted back to the wrong version of Java?  Or is there something else you might suggestion I have done in error?


Your idp-process.log will show you all you need to know on what attributes are being obtained and which ones are being released.. 
Set your logging.xml file to DEBUG for shibboleth.

     <logger name="edu.internet2.middleware.shibboleth">
         <level value="DEBUG" />

Next your aacli error..

You are correct in digging into things with aacli.. it will show you what attributes you have for your principal and what is being released if any..

To fix the aacli error copy the servlet-api.jar file found in your tomcat/lib directory to your shibboleth-idp/lib directory. That should fix you up on that front..

To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list