Salesforce error when authing against Shibboleth

Ben Branch BBranch at uco.edu
Fri Aug 8 19:04:57 EDT 2014


Scott,

I've configured an attribute rule already, and it still does not work.

attribute-resolver.xml:

<resolver:AttributeDefinition xsi:type="ad:Simple" id="email" sourceAttributeID="mail">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
        <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:tc:SAML:2.0:nameid-format:unspecified" />
    </resolver:AttributeDefinition>

Data Connector in attribute-resolver.xml
<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
        ldapURL="ldap://ad_server.domain.local"
        baseDN="ou=User_OU,dc=domain,dc=local"
        principal="service_account at domain.local"
        principalCredential="sa_password">
        <dc:FilterTemplate>
            <![CDATA[
                (uid=$requestContext.principalName)
            ]]>
        </dc:FilterTemplate>
        <dc:ReturnAttributes>mail</dc:ReturnAttributes>
    </resolver:DataConnector>


attribute-filter.xml

<!--  Release the transient ID to anyone -->
    <afp:AttributeFilterPolicy id="releaseTransientIdToAnyone">
        <afp:PolicyRequirementRule xsi:type="basic:ANY" />
        <afp:AttributeRule attributeID="transientId">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
    </afp:AttributeFilterPolicy>

    <afp:AttributeFilterPolicy>
      <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="sp.testshib.org"/>
      <afp:AttributeRule attributeID="mail">
        <afp:PermitValueRule xsi:type="basic:ANY"/>
      </afp:AttributeRule>
    </afp:AttributeFilterPolicy>

If the issue is with the SOAP query, how do I release attributes and not use SOAP?

Ben Branch
Sun Administrator
University of Central Oklahoma
ITIL Foundation v3, Network+, RHCSA

100 N. University Drive, Box 122
Edmond, OK 73034
D: 405.974.2649 | M: 405.550.6804 | bbranch at uco.edu | www.uco.edu
________________________________________
From: users-bounces at shibboleth.net [users-bounces at shibboleth.net] On Behalf Of Cantor, Scott [cantor.2 at osu.edu]
Sent: Friday, August 08, 2014 5:20 PM
To: Shib Users
Subject: Re: Salesforce error when authing against Shibboleth

On 8/8/14, 6:04 PM, "Ben Branch" <BBranch at uco.edu> wrote:

>So, then how do I get attributes to release then?  Understand, this is my
>first time ever setting this up. I've been pouring over the wiki to try
>and find something to help me but I have been very unsuccessful in that
>endeavor.

A basic release rule for attribute foo to an SP looks like:

<AttributeFilterPolicy id="foorule">
        <PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
                value="https://service.example.edu/shibboleth-sp" />


        <AttributeRule attributeID="foo">
                <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>
</AttributeFilterPolicy>



https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAddAttributeFilter
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPFilterRequirementAt
tributeRequesterString

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
**Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and Green! Please print this e-mail only if absolutely necessary!

**CONFIDENTIALITY** -This e-mail (including any attachments) may contain confidential, proprietary and privileged information. Any unauthorized disclosure or use of this information is prohibited.


More information about the users mailing list