Shib IdP 3 and IOP online service

Maja Wolniewicz mgw at umk.pl
Tue Mar 24 05:41:45 EDT 2015


Hi,

While testing our new Shibboleth IdP 3 installation I found problem with 
publishing attributes to IOP online services 
(https://ticket.iop.org/shibboleth).
According to the IdP logs this SP sends the IdPInitiatedSSORequest.
After successful login the IdP resolves attributes:
2015-03-24 09:31:22,770 - DEBUG 
[net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:205] - 
Attribute Resolver 'ShibbolethAttributeResolver': Final resolved 
attribute collection: [eduPersonEntitlement, commonName, 
pleduOrgUniqueNumber, eduPersonAffiliation, displayName, givenName, uid, 
eduPersonScopedAffiliation, eduPersonTargetedID, UserId, surname, 
nameidattr, eduPersonPrincipalName, email]
and filters them:
2015-03-24 09:31:22,791 - DEBUG 
[net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:167] - 
Attribute filtering engine 'ShibbolethAttributeFilter': 1 values for 
attribute 'eduPersonScopedAffiliation' remained after filtering
2015-03-24 09:31:22,792 - DEBUG 
[net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:167] - 
Attribute filtering engine 'ShibbolethAttributeFilter': 1 values for 
attribute 'eduPersonTargetedID' remained after filtering

but filtered attributes are not passed to the attribute release consent 
(eduPersonScopedAffiliation isn't blacklisted, eduPersonTargetedID is):
2015-03-24 09:31:22,796 - DEBUG 
[net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:101] 
- Profile Action SelectProfileInterceptorFlow: Checking flow 
intercept/attribute-release for applicability...
2015-03-24 09:31:22,797 - DEBUG 
[net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:106] 
- Profile Action SelectProfileInterceptorFlow: Flow 
intercept/attribute-release was not applicable to this request
2015-03-24 09:31:22,797 - DEBUG 
[net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:80] 
- Profile Action SelectProfileInterceptorFlow: No flows available to 
choose from

and when a response is built the AttributeStatement isn't added.
With disabled attribute release consent for this site I'm getting the same.

What I'm doing wrong?

Releasing attributes to SAML2 SPs works.

Thanks,
Maja

-- 
Maja Gorecka-Wolniewicz          mgw at umk.pl
Uczelniane Centrum               Information & Communication
Informatyczne                    Technology Centre
Uniwersytet Mikolaja Kopernika   Nicolaus Copernicus University
Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland
tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5278 bytes
Desc: Kryptograficzna sygnatura S/MIME
Url : http://shibboleth.net/pipermail/users/attachments/20150324/ca0424f9/attachment.bin 


More information about the users mailing list