Not getting an attribute statement in IDP assertion
Cantor, Scott
cantor.2 at osu.edu
Tue Oct 27 13:38:58 EDT 2015
On 10/27/15, 1:34 PM, "users on behalf of Taylor Centers" <users-bounces at shibboleth.net on behalf of taylor.centers at gmail.com> wrote:
>Scott -- NameID and Attributes are different, but I can use either to associate a user from the ldap database with the user in salesforce.
Then you should use an Attribute, by all means.
> I can set a Federation ID for a salesforce user and make that the persistent NameID that Shibboleth is sending up.
No, you can't. Persistent IDs are either generated from a hash or on the fly randomly and stored, and in either case you have no easy way to provision accounts based on them. So that is not what you want.
>idp.persistentId.sourceAttribute = "%{idp.authn.LDAP.baseDN}"
The source attribute property is for setting the name of an IdP-resolved attribute to use as the hash input. It is not a DN, and certainly not a fixed DN, or a property reference.
>but the NameID Field no longer exists when I do that.
No, I wouldn't expect so. And the logs should say something, though perhaps only on DEBUG.
>I'm looking at the assertion in the SAML tracer plugin on Firefox and see there is no Attribute Block so I guess it is the attribute-resolver.xml file that I'm doing something incorrectly in?
>Is there any other info that I can get you where we might see the problem?
Debug the resolver with logs.
>when I run aacli.sh. Does this give us any insight into my problem?
It says there are none, which you already know.
-- Scott
More information about the users
mailing list