Attribute release problem
Brent Putman
putmanb at georgetown.edu
Wed Aug 5 15:55:21 EDT 2015
On 8/5/15 3:45 PM, Michael Dahlberg wrote:
> I'm having a strange problem that I'm hoping someone could help with.
> In the Shibboleth IdP (v.2.40), I've loaded metadata for the SP entity
> ID https://example.bucknell.edu
Based on the log below, that's actually not the entityID...
> and included the endpoints https://example.bucknell.edu/shibboleth and
> http://example.bucknell.edu/shibboleth.
Don't know what you mean by "endpoint" here. Those are not typical
endpoints for a Shibboleth SP (or IdP for that matter).
> The attribute-filter.xml file is configured to release the same
> attributes regardless of whether the AttributeRequesterString is
> either the http or the https variant.
The entityID scheme (if it's a URL) will never vary. It's either https
or http, period. That's because it's an identifier, not a (necessarily)
reachable endpoint. I think you're confused about what the entityID is.
>
> 14:10:57.566 - INFO [Shibboleth-Audit:1028] -
> 20150805T181057Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_ffde89b008ca7d858f7f4ea8735d2eb2|https://example.bucknell.edu/shibboleth|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://shib.bucknell.edu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_dc9c3bfd14ebf25b51c8a1495d05a3d7|fertig|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport||_7cc0122db7f58781ffb4238839b9646c|_cac1d35e2b3dafdbecf6ba1563918a8c,|
> <https://example.bucknell.edu/shibboleth%7Curn:mace:shibboleth:2.0:profiles:saml2:sso%7Chttps://shib.bucknell.edu/idp/shibboleth%7Curn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST%7C_dc9c3bfd14ebf25b51c8a1495d05a3d7%7Cfertig%7Curn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport%7C%7C_7cc0122db7f58781ffb4238839b9646c%7C_cac1d35e2b3dafdbecf6ba1563918a8c,%7C>
>
Based on that entry, the SP's entityID is:
https://example.bucknell.edu/shibboleth. That's what you should be
configuring in your attribute filter - and should also match the
EntityDescriptor entityID attribute in the metadata you are loading.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150805/fd88e026/attachment.html>
More information about the users
mailing list