Help with IdP attribute configuration
Peter Schober
peter.schober at univie.ac.at
Fri Jul 18 18:33:52 EDT 2014
* mariasol <sol.garcia at globant.com> [2014-07-18 20:37]:
> I'm not using LDAP, I getting the value from the request subject with a
> script.
Noone said you were. I only mentioned potential peculiarities of
objectGUID because you posted a configuration with
sourceAttributeID="objectGUID".
> Here what I have on the attribute filter:
> <afp:AttributeFilterPolicy id="releaseImmutableIDToAnyone">
> <afp:PolicyRequirementRule xsi:type="basic:ANY"/>
>
> <afp:AttributeRule attributeID="ImmutableID">
> <afp:PermitValueRule xsi:type="basic:ANY"/>
> </afp:AttributeRule>
> </afp:AttributeFilterPolicy>
OK, so the attribute filter has nothing to do with it, which leaves
all the other things I've mentioned and which you didn't comment on,
starting with the NameID selection process,
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPNameIdentifier
(via "Support a new Name Identifier" on
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPConfiguration )
That assumes the transient NameID was in fact released instead of your
custom one, which you should see in the logs (as well as on the SP
side, when the SP is "skipping" the unmapped transient NameID format).
-peter
More information about the users
mailing list