skipping duplicate Attribute mapping (same name and nameFormat)

Andy Bennett andyjpb at
Thu Sep 4 08:04:53 EDT 2014


I have an SP configured such that all of the targeted-id and
persistent-id decoders are enabled in attribute-map.xml.

When our app first sees a login for a particular SP it decides whether
to use persistent-id or targeted-id as the key for our "shadow user
account". It looks for persistent-id first and then targeted-id.

Some IDPs send multivalued persistent-ids and this is causing us
problems that we'd like to fix.

We see three types of IDP who send more that one "id":

 + sends different targeted-id and persistent-id

     For this we just use persistent-id and all is well.

 + sends single valued targeted-id and bi-valued persistent-id, all the same

     When we receive a multi-valued persistent-id we split it into the
values, assert them equal then pick one so this case works fine.

+ sends single values targeted-id and tri-valued persistent-id, last
persistent-id matches targeted-id, first and second persistent-
ids match each other but don't match targeted-id

     For this one we are in a pickle because we try to choose
persistent-id and our multi-value algorithm fails. We then have to go
and set this IDP to key by targeted-id so that it doesn't trip over on
the "all values in multi-valued persistent-ids much match" requirement.

Now, there are three types of thing which get decoded to "persistent-id":

 + urn:mace:dir:attribute-def:eduPersonTargetedID
 + urn:oid:
 + urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

... and one type of thing which gets decoded to "targeted-id":

 + urn:mace:dir:attribute-def:eduPersonTargetedID

As the targeted-id decoder appears before the persistent-id decoder we
see "skipping duplicate Attribute mapping (same name and nameFormat)" in
the logs for the urn:mace:dir:attribute-def:eduPersonTargetedID
persistent-id decoder.

In order to try to get a better idea of who is sending what, I'd like to
change the persistent-id decoders to decode to, say
"persistent-id-{oasis,oid,mace}" then my keying algorithm could change from

"pick persistent-id then targeted-id" to "pick oasis, then oid then
mace" and I could dispense with targeted-id entirely.

If I'd been more careful when I set things up then this would be
trivial. However, I already have a bunch of IDP entries in my app which
think that they're keyed by "persistent-id" and I can't find enough
information in the logs to know which decoder was used and therefore I
can't change this to "oasis", "oid" or "mace".

Is there a way to allow attribute-map.xml entries to work where they
have the same "name" and "nameFormat" entries as a another decoder but a
different "id"? That way I can continue to use the keys I currently use
but also gradually capture the {oasis,oid,mace} information.

Thanks for your help.


andyjpb at

More information about the users mailing list