Scoped attribute not passing SP filter
Joep Driesen
Joep.Driesen at icts.kuleuven.be
Thu Feb 21 06:05:43 EST 2013
> Can you send your relevant SP filter rules as you had them and also how they are when you have amended in order to get it to work ?
Before:
<afp:PermitValueRule id="ScopingRules" xsi:type="AND">
<Rule xsi:type="NOT">
<Rule xsi:type="AttributeValueRegex" regex="@"/>
</Rule>
<Rule xsi:type="saml:AttributeScopeMatchesShibMDScope" xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"/>
</afp:PermitValueRule>
<afp:AttributeRule attributeID="eppn">
<afp:PermitValueRuleReference ref="ScopingRules"/>
</afp:AttributeRule>
After:
<afp:PermitValueRule id="ScopingRules" xsi:type="AND">
<Rule xsi:type="NOT">
<Rule xsi:type="AttributeValueRegex" regex="@"/>
</Rule>
<Rule xsi:type="saml:AttributeScopeMatchesShibMDScope" xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"/>
</afp:PermitValueRule>
<afp:AttributeRule attributeID="eppn">
<afp:PermitValueRuleReference ref="ScopingRules"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="NewAttribute">
<afp:PermitValueRuleReference ref="ScopingRules"/>
</afp:AttributeRule>
As you can see, not much has changed. The eppn attribute is passed perfectly.
> I'd double check that you're not ending up with two scopes on the end of the attribute value. That attribute definition is for pulling in unscoped data. Prescoped would be the one to use if the data already has a suffix.
We checked the value being sent by the IdP in the Audit Logs, which seemed to release the correct value. On the side of the SP, I used a php-script that print all attributes and their corresponding values received by the IdP and
passed by the filter on the browserscreen to check this. The value of the scoped attribute was: 00000000 at kuleuven.be , where 0000000 is the expected value for the id. I'm guessing this is the value you would expect, but
I'm not 100% sure...
Joep
More information about the users
mailing list