Scoped attribute not passing SP filter
Joep.Driesen at icts.kuleuven.be
Wed Feb 20 05:33:50 EST 2013
We are trying to release a new scoped attribute from one of our federations' IdPs. To this end we added the following
code to the IdPs attribute-resolver.xml:
<resolver:AttributeDefinition id="NewAttribute" xsi:type="Scoped" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="SAML1ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
<resolver:AttributeEncoder xsi:type="SAML2ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:kuleuven.be:dir:attribute-def:NewAttribute" friendlyName="NewAttribute" />
We also updated the attribute-filter.xml to release the attribute, and added a line to the metadata to enable this IdP to use the 'kuleuven.be' scope:
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
On the IdPs side, everything seems ok, the IdP release the attribute correctly as we have confirmed by
inspecting the logs.
Next we configured a test SP to receive this new attribute. Adding a rule to the attribute-policy.xml:
<afp:PermitValueRule id="ScopingRules" xsi:type="AND">
<Rule xsi:type="AttributeValueRegex" regex="@"/>
<Rule xsi:type="saml:AttributeScopeMatchesShibMDScope" xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"/>
Now according to the SP logs, the attribute is successfully received. The problem is that it is filtered out by the SPs filtering policy:
2013-02-20 11:19:16 DEBUG Shibboleth.AttributeFilter : applying filtering rule(s) for attribute (NewAttribute) from (IdPEntityID)
2013-02-20 11:19:16 WARN Shibboleth.AttributeFilter : removed value at position (0) of attribute (NewAttribute) from (IdPEntityID)
It seems the scope is not properly applied. When I change the SPs filter to only allow values containing an '@', the attribute passes just fine. We are releasing other attributes that are scoped with
the 'otherscope' defined in our attribute-filter.xml, and these are also passing the SPs filter without a problem. I can't find a difference between the old attributes that work and the new attribute that doesn't
Can anyone spot any obvious errors here, or tell me other places I could look for configuration mistakes?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users