Problems using FEIDE as IdP with shibboleth

Lars Slettjord lars.slettjord at uit.no
Mon Apr 4 05:37:40 EDT 2016 

On Tuesday 29. March 2016 12.22.03 Peter Schober wrote:
> That doesn't sound like it's coming from the Shib SP but from your
> application. Anyway: Try setting showAttributeValues="true" in your
> Shib SP and have a look at /Shibboleth.sso/Session after another login
> attempt. 

I tried setting showAttributeValues="true". First with the default attribute-map.xml. I got these lines in the shibd.log:

  2016-04-04 11:22:29 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: eduPersonPrincipalName, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  2016-04-04 11:22:29 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: givenName, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  2016-04-04 11:22:29 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: mail, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  2016-04-04 11:22:29 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: sn, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  2016-04-04 11:22:29 INFO Shibboleth.SessionCache [1]: new session created: ID (_c78dab41cea165551eb04070b870af9e) IdP (https://idp-test.feide.no) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (129.242.xxx.xxx)

And the attributes-list in https://cripslock.uit.no/Shibboleth.sso/Session was empty:

  Miscellaneous
  Session Expiration (barring inactivity): 479 minute(s)
  Client Address: 129.242.xxx.xxx
  SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
  Identity Provider: https://idp-test.feide.no
  Authentication Time: 2016-04-04T08:43:21Z
  Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:Password
  Authentication Context Decl: (none)

  Attributes

I kind of expected this since every attribute is marked as skipped in the log.

Then I tried the suggested FEIDE configuration for eduPersonPrincipalName in attribute-map.xml:

    <Attribute name="eduPersonPrincipalName"
               nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
               id="eppn">
        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
    </Attribute>

Which gave this output in shibd.log:

  2016-04-04 11:29:58 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: givenName, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  2016-04-04 11:29:58 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: mail, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  2016-04-04 11:29:58 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: sn, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  2016-04-04 11:29:58 WARN Shibboleth.AttributeFilter [1]: removed value at position (0) of attribute (eppn) from (https://idp-test.feide.no)
  2016-04-04 11:29:58 WARN Shibboleth.AttributeFilter [1]: no values left, removing attribute (eppn) from (https://idp-test.feide.no)
  2016-04-04 11:29:58 INFO Shibboleth.SessionCache [1]: new session created: ID (_f866ccd9b4f946b79d52177bd4176590) IdP (https://idp-test.feide.no) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (129.242.xxx.xxx)

So the eppn (eduPersonPrincipalName) is still removed, and the attributes-list in https://cripslock.uit.no/Shibboleth.sso/Session is empty.
-- 
Lars Slettjord

More information about the users mailing list