Scoped attribute not passing SP filter

Joep Driesen Joep.Driesen at
Wed Feb 20 05:33:50 EST 2013

Hi Everybody,

We are trying to release a new scoped attribute from one of our federations' IdPs.  To this end we added the following
code to the IdPs attribute-resolver.xml:

<resolver:AttributeDefinition id="NewAttribute" xsi:type="Scoped" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                              scope="" sourceAttributeID="SourceAttribute">
        <resolver:Dependency ref="myLDAP" />

        <resolver:AttributeEncoder xsi:type="SAML1ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                                   name="urn:mace:dir:attribute-def:NewAttribute" />

        <resolver:AttributeEncoder xsi:type="SAML2ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                                   name="" friendlyName="NewAttribute" />

We also updated the attribute-filter.xml to release the attribute, and added a line to the metadata to enable this IdP to use the '' scope:

<EntityDescriptor entityID="IdPEntityID">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
<shibmd:Scope regexp="false">otherscope</shibmd:Scope>
<shibmd:Scope regexp="false"></shibmd:Scope>

On the IdPs side, everything seems ok, the IdP release the attribute correctly as we have confirmed by
inspecting the logs.

Next we configured a test SP to receive this new attribute. Adding a rule to the attribute-policy.xml:

<afp:PermitValueRule id="ScopingRules" xsi:type="AND">
        <Rule xsi:type="NOT">
            <Rule xsi:type="AttributeValueRegex" regex="@"/>
        <Rule xsi:type="saml:AttributeScopeMatchesShibMDScope" xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"/>

<afp:AttributeRule attributeID="NewAttribute">
            <afp:PermitValueRuleReference ref="ScopingRules"/>

Now according to the SP logs, the attribute is successfully received. The problem is that it is filtered out by the SPs filtering policy:

2013-02-20 11:19:16 DEBUG Shibboleth.AttributeFilter [3]: applying filtering rule(s) for attribute (NewAttribute) from (IdPEntityID)
2013-02-20 11:19:16 WARN Shibboleth.AttributeFilter [3]: removed value at position (0) of attribute (NewAttribute) from (IdPEntityID)

It seems the scope is not properly applied. When I change the SPs filter to only allow values containing an '@', the attribute passes just fine. We are releasing other attributes that are scoped with
the 'otherscope' defined in our attribute-filter.xml, and these are also passing the SPs filter without a problem. I can't find a difference between the old attributes that work and the new attribute that doesn't

Can anyone spot any obvious errors here, or tell me other places I could look for configuration mistakes?

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list