Attribute release problem

Brent Putman putmanb at
Wed Aug 5 15:55:21 EDT 2015

On 8/5/15 3:45 PM, Michael Dahlberg wrote:
> I'm having a strange problem that I'm hoping someone could help with. 
> In the Shibboleth IdP (v.2.40), I've loaded metadata for the SP entity
> ID

Based on the log below, that's actually not the entityID... 

> and included the endpoints and

Don't know what you mean by "endpoint" here.  Those are not typical
endpoints for a Shibboleth SP (or IdP for that matter).

> The attribute-filter.xml file is configured to release the same
> attributes regardless of whether the AttributeRequesterString is
> either the http or the https variant.

The entityID scheme (if it's a URL) will never vary.  It's either https
or http, period. That's because it's an identifier, not a (necessarily)
reachable endpoint.  I think you're confused about what the entityID is.

> 14:10:57.566 - INFO [Shibboleth-Audit:1028] -
> 20150805T181057Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_ffde89b008ca7d858f7f4ea8735d2eb2||urn:mace:shibboleth:2.0:profiles:saml2:sso||urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_dc9c3bfd14ebf25b51c8a1495d05a3d7|fertig|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport||_7cc0122db7f58781ffb4238839b9646c|_cac1d35e2b3dafdbecf6ba1563918a8c,|
> <,%7C>

Based on that entry, the SP's entityID  is:  That's what you should be
configuring in your attribute filter - and should also match the
EntityDescriptor entityID attribute in the metadata you are loading.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list