Not getting an attribute statement in IDP assertion

[Cantor, Scott]

On 10/27/15, 1:34 PM, "users on behalf of Taylor Centers" <users-bounces at shibboleth.net on behalf of taylor.centers at gmail.com> wrote:



>Scott -- NameID and Attributes are different, but I can use either to associate a user from the ldap database with the user in salesforce.

Then you should use an Attribute, by all means.

>  I can set a Federation ID for a salesforce user and make that the persistent NameID that Shibboleth is sending up.  

No, you can't. Persistent IDs are either generated from a hash or on the fly randomly and stored, and in either case you have no easy way to provision accounts based on them. So that is not what you want.

>idp.persistentId.sourceAttribute = "%{idp.authn.LDAP.baseDN}"

The source attribute property is for setting the name of an IdP-resolved attribute to use as the hash input. It is not a DN, and certainly not a fixed DN, or a property reference.

>but the NameID Field no longer exists when I do that.

No, I wouldn't expect so. And the logs should say something, though perhaps only on DEBUG.

>I'm looking at the assertion in the SAML tracer plugin on Firefox and see there is no Attribute Block so I guess it is the attribute-resolver.xml file that I'm doing something incorrectly in?  
>Is there any other info that I can get you where we might see the problem?

Debug the resolver with logs.

>when I run aacli.sh.  Does this give us any insight into my problem?

It says there are none, which you already know.

-- Scott