Help Releasing Attributes

David E. Newswanger David_Newswanger at berea.edu
Fri Dec 11 13:26:21 EST 2015 

I should probably clarify. When I say I removed all the filters, I mean that I configured the IdP filter to release the attributes I'm testing to all the service providers, and I configured to the SP to receive all of the attributes that the IdP releases like so:

IdP:
        <afp:AttributeRule attributeID="surname">                                                                                      
            <afp:PermitValueRule xsi:type="basic:ANY" />                                                                               
        </afp:AttributeRule>                                                                                                           

        <afp:AttributeRule attributeID="mail">                                                                                         
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>

SP:
        <afp:AttributeRule attributeID="*">
            <afp:PermitValueRule xsi:type="ANY"/>                                                                                      
        </afp:AttributeRule>

How do I determine at what stage the attribute release is breaking down? I'm not sure if it's the connector, the attribute definitions or the attribute map on the SP's end. I'm fairly confident that the filter isn't the problem, unless I improperly configured the IdP's attribute rules.

Thanks,
   David Newswanger


________________________________________
From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott <cantor.2 at osu.edu>
Sent: Wednesday, December 9, 2015 4:23 PM
To: Shib Users
Subject: Re: Help Releasing Attributes

On 12/9/15, 4:56 PM, "users on behalf of David E. Newswanger" <users-bounces at shibboleth.net on behalf of David_Newswanger at berea.edu> wrote:



>I copied the default connector for LDAP from attribute-resolver-ldap.xml into attribute-attribute-resolver.xml and I've also copied over the default attribute descriptions from attribute-resolver-full.xml for some of the standard attributes that we use in our
> LDAP instance such as sn and mail. I've removed all the filters in attrbute-filter.xml and attribute-policy.xml to allow for everything to pass through unmolested,

Removing policies doesn't cause everything to pass through, quite the reverse.

>I've tried to use the aacli.sh script like so: ./aacli.sh --principal newswangerd --configDir /opt/shibboleth-idp/conf/ --requester
> https://idp.testshib.org/idp/shibboleth and rather than receiving a SAML
> assertion like the wiki said I should, I got this string:


You're copying some kind of old example, but that error means your IdP isn't reachable over localhost on port 80.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list