saml:AuthenticatingAuthority and Assertion Extraction

Andy Bennett andyjpb at knodium.com
Thu Apr 24 12:07:29 EDT 2014 

Hi,

Thanks for the reply!


>> I've got exportAssertion="true" set on <Host ...> in <RequestMap> in
>> <RequestMapper ...> in shibboleth2.xml and I'm seeing
>> Shib-Identity-Provider CGI variables but I've *never* seen any
>> Shib-Assertion-Count or Shib-Assertion-NN CGI variables.
> 
> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAssertionExpor
> t
> 
> You don't have exportLocation or exportACL set, I would imagine.

If I enable those will I get given URLs that can be queried to find the
AuthenticatingAuthority Assertion?


>> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeExtr
>> actor#NativeSPAttributeExtractor-XMLAttributeExtractor
>>
>> seems to claim that an XML AttributeExtractor can extract things from
>> <saml2:Assertion> but I'm not sure what syntax to put in
>> attribute-map.xml to make this work.
> 
> It handles Attributes and NameIDs, that's it. If you tell me what text
> implies otherwise, I'll adjust it.

-----
The plugin supports extraction from the following SAML constructs:

    <saml:Assertion>
    <saml:Attribute>
    <saml:NameIdentifier>
    <saml2:Assertion>
    <saml2:Attribute>
    <saml2:NameID>
    <saml2:EncryptedAttribute>
-----

Wherein the word "Assertion" appears.



>> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeExtr
>> actor#NativeSPAttributeExtractor-AssertionAttributeExtractor%28Version2.5a
>> ndAbove%29
>>
>> seems to imply that I might not be able to do this without upgrading to
>> the 2.5 SP software.
> 
> Again, please tell me what implies that and I can fix it. The version
> indicator is there.

It says it can be done with the "Assertion AttributeExtractor" and
provides an example but that extractor is only available in 2.5:

-----
Assertion AttributeExtractor (Version 2.5 and Above)
-----


>> A bit of Googling suggests there were some commits over 2 years ago
>> which added some kind of functionality along these lines but it's not
>> clear what release they went into.
> 
> Assertion AttributeExtractor (Version 2.5 and Above)

Thanks.





Regards,
@ndy

-- 
andyjpb at knodium.com
http://www.knodium.com/

More information about the users mailing list