Help Releasing Attributes
David E. Newswanger
David_Newswanger at berea.edu
Wed Dec 9 16:56:31 EST 2015
I'm a student working in the IT department at Berea College. I've been tasked with setting up and IdP for the college. So far I've successfully installed the IdP v3 and a test service provider which can authenticate users against the schools Active Directory LDAP server. I've hit a brick wall in the last couple of weeks because I haven't been able to get my IdP to release any attributes aside from the EPPN and uid.
I copied the default connector for LDAP from attribute-resolver-ldap.xml into attribute-attribute-resolver.xml and I've also copied over the default attribute descriptions from attribute-resolver-full.xml for some of the standard attributes that we use in our LDAP instance such as sn and mail. I've removed all the filters in attrbute-filter.xml and attribute-policy.xml to allow for everything to pass through unmolested, and I've uncommented all of the default attributes in attribute-map.xml, including the ones for sn and mail. Even after all of this, the IdP still refuses to release attributes to my test service provider and the one that I have set up on testshib.org.
I've tried to use the aacli.sh script like so: ./aacli.sh --principal newswangerd --configDir /opt/shibboleth-idp/conf/ --requester https://idp.testshib.org/idp/shibboleth and rather than receiving a SAML assertion like the wiki said I should, I got this string:
Does anyone know what might be going on? What can I do to debug this problem?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users