Help Releasing Attributes

David E. Newswanger David_Newswanger at
Fri Dec 11 13:26:21 EST 2015

I should probably clarify. When I say I removed all the filters, I mean that I configured the IdP filter to release the attributes I'm testing to all the service providers, and I configured to the SP to receive all of the attributes that the IdP releases like so:

        <afp:AttributeRule attributeID="surname">                                                                                      
            <afp:PermitValueRule xsi:type="basic:ANY" />                                                                               

        <afp:AttributeRule attributeID="mail">                                                                                         
            <afp:PermitValueRule xsi:type="basic:ANY" />

        <afp:AttributeRule attributeID="*">
            <afp:PermitValueRule xsi:type="ANY"/>                                                                                      

How do I determine at what stage the attribute release is breaking down? I'm not sure if it's the connector, the attribute definitions or the attribute map on the SP's end. I'm fairly confident that the filter isn't the problem, unless I improperly configured the IdP's attribute rules.

   David Newswanger

From: users <users-bounces at> on behalf of Cantor, Scott <cantor.2 at>
Sent: Wednesday, December 9, 2015 4:23 PM
To: Shib Users
Subject: Re: Help Releasing Attributes

On 12/9/15, 4:56 PM, "users on behalf of David E. Newswanger" <users-bounces at on behalf of David_Newswanger at> wrote:

>I copied the default connector for LDAP from attribute-resolver-ldap.xml into attribute-attribute-resolver.xml and I've also copied over the default attribute descriptions from attribute-resolver-full.xml for some of the standard attributes that we use in our
> LDAP instance such as sn and mail. I've removed all the filters in attrbute-filter.xml and attribute-policy.xml to allow for everything to pass through unmolested,

Removing policies doesn't cause everything to pass through, quite the reverse.

>I've tried to use the script like so: ./ --principal newswangerd --configDir /opt/shibboleth-idp/conf/ --requester
> and rather than receiving a SAML
> assertion like the wiki said I should, I got this string:

You're copying some kind of old example, but that error means your IdP isn't reachable over localhost on port 80.

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list