saml:AuthenticatingAuthority and Assertion Extraction

Andy Bennett andyjpb at
Thu Apr 24 12:07:29 EDT 2014


Thanks for the reply!

>> I've got exportAssertion="true" set on <Host ...> in <RequestMap> in
>> <RequestMapper ...> in shibboleth2.xml and I'm seeing
>> Shib-Identity-Provider CGI variables but I've *never* seen any
>> Shib-Assertion-Count or Shib-Assertion-NN CGI variables.
> t
> You don't have exportLocation or exportACL set, I would imagine.

If I enable those will I get given URLs that can be queried to find the
AuthenticatingAuthority Assertion?

>> actor#NativeSPAttributeExtractor-XMLAttributeExtractor
>> seems to claim that an XML AttributeExtractor can extract things from
>> <saml2:Assertion> but I'm not sure what syntax to put in
>> attribute-map.xml to make this work.
> It handles Attributes and NameIDs, that's it. If you tell me what text
> implies otherwise, I'll adjust it.

The plugin supports extraction from the following SAML constructs:


Wherein the word "Assertion" appears.

>> actor#NativeSPAttributeExtractor-AssertionAttributeExtractor%28Version2.5a
>> ndAbove%29
>> seems to imply that I might not be able to do this without upgrading to
>> the 2.5 SP software.
> Again, please tell me what implies that and I can fix it. The version
> indicator is there.

It says it can be done with the "Assertion AttributeExtractor" and
provides an example but that extractor is only available in 2.5:

Assertion AttributeExtractor (Version 2.5 and Above)

>> A bit of Googling suggests there were some commits over 2 years ago
>> which added some kind of functionality along these lines but it's not
>> clear what release they went into.
> Assertion AttributeExtractor (Version 2.5 and Above)



andyjpb at

More information about the users mailing list