Scoped attribute not passing SP filter

Peter Schober peter.schober at
Thu Feb 21 06:25:44 EST 2013

* Joep Driesen <Joep.Driesen at> [2013-02-21 12:06]:
> > I'd double check that you're not ending up with two scopes on the
> end of the attribute value. That attribute definition is for pulling
> in unscoped data. Prescoped would be the one to use if the data
> already has a suffix.
> We checked the value being sent by the IdP in the Audit Logs, which
> seemed to release the correct value. On the side of the SP, I used a
> php-script that print all attributes and their corresponding values
> received by the IdP and passed by the filter on the browserscreen to
> check this. The value of the scoped attribute was:
> 00000000 at , where 0000000 is the expected value for the
> id. I'm guessing this is the value you would expect, but I'm not
> 100% sure...

Turn the IdP's (or the SP's, since you seem to control both?) logging
up to DEBUG and look at the actual XML representation of the attribute.
(Or disable encryption, then you can grab it from the browser in
transit, e.g. using Olav's SAML tracer plugin for Firefox).

Any PHP at the SP won't give you additional info compared to the SP's
log files.
Also the SP's Session handler at /Shibboleth.sso/Session already has
all that info readily available in your browser (other than that the
same as above applies here, of course).

More information about the users mailing list