Salesforce error when authing against Shibboleth
Ben Branch
BBranch at uco.edu
Fri Aug 8 19:04:57 EDT 2014
Scott,
I've configured an attribute rule already, and it still does not work.
attribute-resolver.xml:
<resolver:AttributeDefinition xsi:type="ad:Simple" id="email" sourceAttributeID="mail">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
<resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:tc:SAML:2.0:nameid-format:unspecified" />
</resolver:AttributeDefinition>
Data Connector in attribute-resolver.xml
<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
ldapURL="ldap://ad_server.domain.local"
baseDN="ou=User_OU,dc=domain,dc=local"
principal="service_account at domain.local"
principalCredential="sa_password">
<dc:FilterTemplate>
<![CDATA[
(uid=$requestContext.principalName)
]]>
</dc:FilterTemplate>
<dc:ReturnAttributes>mail</dc:ReturnAttributes>
</resolver:DataConnector>
attribute-filter.xml
<!-- Release the transient ID to anyone -->
<afp:AttributeFilterPolicy id="releaseTransientIdToAnyone">
<afp:PolicyRequirementRule xsi:type="basic:ANY" />
<afp:AttributeRule attributeID="transientId">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
<afp:AttributeFilterPolicy>
<afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="sp.testshib.org"/>
<afp:AttributeRule attributeID="mail">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
If the issue is with the SOAP query, how do I release attributes and not use SOAP?
Ben Branch
Sun Administrator
University of Central Oklahoma
ITIL Foundation v3, Network+, RHCSA
100 N. University Drive, Box 122
Edmond, OK 73034
D: 405.974.2649 | M: 405.550.6804 | bbranch at uco.edu | www.uco.edu
________________________________________
From: users-bounces at shibboleth.net [users-bounces at shibboleth.net] On Behalf Of Cantor, Scott [cantor.2 at osu.edu]
Sent: Friday, August 08, 2014 5:20 PM
To: Shib Users
Subject: Re: Salesforce error when authing against Shibboleth
On 8/8/14, 6:04 PM, "Ben Branch" <BBranch at uco.edu> wrote:
>So, then how do I get attributes to release then? Understand, this is my
>first time ever setting this up. I've been pouring over the wiki to try
>and find something to help me but I have been very unsuccessful in that
>endeavor.
A basic release rule for attribute foo to an SP looks like:
<AttributeFilterPolicy id="foorule">
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
value="https://service.example.edu/shibboleth-sp" />
<AttributeRule attributeID="foo">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAddAttributeFilter
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPFilterRequirementAt
tributeRequesterString
-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
**Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and Green! Please print this e-mail only if absolutely necessary!
**CONFIDENTIALITY** -This e-mail (including any attachments) may contain confidential, proprietary and privileged information. Any unauthorized disclosure or use of this information is prohibited.
More information about the users
mailing list