Attribute query with qualified principal name

IAM David Bantz dabantz at alaska.edu
Mon Feb 9 14:39:32 EST 2015


Integrating our IdP with a vendor that makes a SAML authN request, followed
by an attribute query for attributes.  The attribute query identifies the
principal with a qualified name (username at alaska.edu) as a "transient
identifier" rather than username we use to authenticate and find records in
our directories.  The result is an empty result for the attribute query.

This is the first and only attribute query I've encountered; is there an
obvious way to configure the IdP to successfully return attributes?  I
suppose the transient identifier is from the principal in the authN SAML
assertion, which the vendor specified as being a scoped, username at alaska.edu
.

09:30:17.737 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:543]
> - Resolving principal name for subject of SAML request
> '_2D6CB1BEF5FAE0BF8758C932ADCE5833' from relying party '
> https://sp.transactsp.com/shibboleth-sp/mgmt-ualaska-sp.blackboard.com/mgmt
> '
> 09:30:17.737 - WARN
> [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:555]
> - Error resolving principal name for SAML request
> '_2D6CB1BEF5FAE0BF8758C932ADCE5833' from relying party '
> https://sp.transactsp.com/shibboleth-sp/mgmt-ualaska-sp.blackboard.com/mgmt'.
> Cause: No information associated with transient identifier: djdewolfe@
> alaska.edu
> 09:30:17.738 - DEBUG
> [org.opensaml.ws.message.encoder.BaseMessageEncoder:49] - Beginning encode
> message to outbound transport of type:
> org.opensaml.ws.transport.http.HttpServletResponseAdapter
> 09:30:17.738 - DEBUG
> [org.opensaml.saml2.binding.encoding.HTTPSOAP11Encoder:172] - Building SOAP
> message...

David Bantz, U Alaska
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20150209/a9438821/attachment.html 


More information about the users mailing list