Name Identifier attribute release

Michael Dahlberg olgamirth at gmail.com
Wed Aug 19 09:36:27 EDT 2015 

I'm still having a bit of a problem returning an attribute encoded in the
SAML2 Name Identifier ... thanks for your continued assistance.

I've made the following modifications:

In attribute-resolver.xml:

    <resolver:AttributeDefinition id="pageUp" xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="cn">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="SAML2StringNameID"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"

nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:persistent" />
    </resolver:AttributeDefinition>

The cn attribute is one that is released by the data connector referenced
in myLDAP and contains the username of the authenticated user

In attribute-filter.xml:

    <afp:AttributeFilterPolicy>
        <afp:PolicyRequirementRule
xsi:type="basic:AttributeRequesterString" value="
https://admin.dc4.pageuppeople.com/" />

        <afp:AttributeRule attributeID="pageUp">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>

    </afp:AttributeFilterPolicy>

Seems pretty basic once you comprehend what a Name Identifier is (I'm still
learning that myself)

However, a SAML tracer result shows the following (I've just included the
SAML2 subject for clarification):

        <saml2:Subject>
            <saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"

NameQualifier="https://shib.bucknell.edu/idp/shibboleth"
                          SPNameQualifier="https://admin.dc4.pageuppeople.com/"
                          >_5ea915fd003b7acdf9f65283fd288073</saml2:NameID>
            <saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData Address="172.20.10.105"

InResponseTo="_9a2bb99d-6198-4c25-b8b9-f9c2794dc69a"

NotOnOrAfter="2015-08-19T13:23:47.460Z"

Recipient="https://admin.dc4.pageuppeople.com//gateway/SAML.aspx?binding=urn%3aoasis%3anames%3atc%3aSAML%3a2.0%3abindings%3aHTTP-POST"
                                               />
            </saml2:SubjectConfirmation>
        </saml2:Subject>

It looks as if the NameID value is the transientId, not the cn.  I have no
idea why the transientId is returned rather than the cn from the
configurations listed above.

Any suggestions will be appreciated.  Also, if you feel so inclined to
point out my terminology mistakes, I would appreciate that as well ...
being able to accurately describe the problem is 75% of the battle.

Thanks,
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150819/c0aca8e5/attachment-0001.html>

More information about the users mailing list