Scoped attribute not passing SP filter
Joep Driesen
Joep.Driesen at icts.kuleuven.be
Wed Feb 20 06:23:06 EST 2013
The SP automatically updates its metadata from a central repository every 15 minutes or so, so this should not be an issue. To be sure I checked the
cached metadata on the SP. It was last downloaded today, and contains the scope setting.
So I don't think this is the problem, thanks anyway :)
-----Oorspronkelijk bericht-----
Van: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] Namens Rod Widdowson
Verzonden: woensdag 20 februari 2013 12:08
Aan: 'Shib Users'
Onderwerp: RE: Scoped attribute not passing SP filter
Guess: did you update the IdP's metadata at the SP to add in the extra scope?
> -----Original Message-----
> From: users-bounces at shibboleth.net [mailto:users-
> bounces at shibboleth.net] On Behalf Of Joep Driesen
> Sent: 20 February 2013 10:34
> To: users at shibboleth.net
> Subject: Scoped attribute not passing SP filter
>
> Hi Everybody,
>
> We are trying to release a new scoped attribute from one of our
federations'
> IdPs. To this end we added the following code to the IdPs
> attribute-resolver.xml:
>
> <resolver:AttributeDefinition id="NewAttribute" xsi:type="Scoped"
> xmlns="urn:mace:shibboleth:2.0:resolver:ad"
> scope="kuleuven.be"
sourceAttributeID="SourceAttribute">
> <resolver:Dependency ref="myLDAP" />
>
> <resolver:AttributeEncoder xsi:type="SAML1ScopedString"
> xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
>
name="urn:mace:dir:attribute-def:NewAttribute" />
>
> <resolver:AttributeEncoder xsi:type="SAML2ScopedString"
> xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
>
name="urn:mace:kuleuven.be:dir:attribute-
> def:NewAttribute" friendlyName="NewAttribute" />
> </resolver:AttributeDefinition>
>
> We also updated the attribute-filter.xml to release the attribute, and
added
> a line to the metadata to enable this IdP to use the 'kuleuven.be' scope:
>
> <EntityDescriptor entityID="IdPEntityID">
> <IDPSSODescriptor
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol
> urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
> <Extensions>
> <shibmd:Scope regexp="false">otherscope</shibmd:Scope>
> <shibmd:Scope regexp="false">kuleuven.be</shibmd:Scope>
> </Extensions>
> .
>
> On the IdPs side, everything seems ok, the IdP release the attribute
correctly
> as we have confirmed by
> inspecting the logs.
>
> Next we configured a test SP to receive this new attribute. Adding a
> rule
to
> the attribute-policy.xml:
>
> <afp:PermitValueRule id="ScopingRules" xsi:type="AND">
> <Rule xsi:type="NOT">
> <Rule xsi:type="AttributeValueRegex" regex="@"/>
> </Rule>
> <Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"
> xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"/>
> </afp:PermitValueRule>
>
> <afp:AttributeRule attributeID="NewAttribute">
> <afp:PermitValueRuleReference ref="ScopingRules"/>
> </afp:AttributeRule>
>
> Now according to the SP logs, the attribute is successfully received.
> The problem is that it is filtered out by the SPs filtering policy:
>
> 2013-02-20 11:19:16 DEBUG Shibboleth.AttributeFilter [3]: applying
filtering
> rule(s) for attribute (NewAttribute) from (IdPEntityID)
> 2013-02-20 11:19:16 WARN Shibboleth.AttributeFilter [3]: removed value
> at position (0) of attribute (NewAttribute) from (IdPEntityID)
>
> It seems the scope is not properly applied. When I change the SPs
> filter
to
> only allow values containing an '@', the attribute passes just fine.
> We
are
> releasing other attributes that are scoped with the 'otherscope'
> defined in our attribute-filter.xml, and these are also passing the
> SPs filter without a problem. I can't find a difference
between
> the old attributes that work and the new attribute that doesn't
> anywhere.
>
> Can anyone spot any obvious errors here, or tell me other places I
> could
look
> for configuration mistakes?
>
> Thanks!
> Joep
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list