Problems using FEIDE as IdP with shibboleth

Peter Schober peter.schober at univie.ac.at
Mon Apr 4 08:40:14 EDT 2016


* Lars Slettjord <lars.slettjord at uit.no> [2016-04-04 11:37]:
> I tried setting showAttributeValues="true". First with the default
> attribute-map.xml. I got these lines in the shibd.log:

The only effect of showAttributeValues is showing the values when
accesing /Shibboleth.sso/Session using a browser with an established
session. If you have access to the logs this doesn't buy you anything.

>   2016-04-04 11:22:29 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: eduPersonPrincipalName, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
>   2016-04-04 11:22:29 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: givenName, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
>   2016-04-04 11:22:29 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: mail, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
>   2016-04-04 11:22:29 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: sn, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
>   2016-04-04 11:22:29 INFO Shibboleth.SessionCache [1]: new session created: ID (_c78dab41cea165551eb04070b870af9e) IdP (https://idp-test.feide.no) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (129.242.xxx.xxx)

That's to be expected, as in the default attribute-map.xml (as
distributed in Shibboleth packages or releases) doesn't contain any
mappings with basic names at all.

> Then I tried the suggested FEIDE configuration for eduPersonPrincipalName in attribute-map.xml:
> 
>     <Attribute name="eduPersonPrincipalName"
>                nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>                id="eppn">
>         <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
>     </Attribute>
> 
> Which gave this output in shibd.log:

>   2016-04-04 11:29:58 WARN Shibboleth.AttributeFilter [1]: removed value at position (0) of attribute (eppn) from (https://idp-test.feide.no)
>   2016-04-04 11:29:58 WARN Shibboleth.AttributeFilter [1]: no values left, removing attribute (eppn) from (https://idp-test.feide.no)

That just means it skipped ePPN for another reason, probably because
the Scope in the attribute value does not match the Scope extension in
the asserting IDP's SAML Metadata: For eduPerson attributes that are
defined to be scoped[1] to come through the right-hand side (the scope,
e.g. "example.org" for an ePPN value of "foobar at example.org") needs to
be listed in the IDP's SAML Metadata as Scope extension[2].
[1] http://macedir.org/specs/eduperson/#Scope
[2] https://wiki.shibboleth.net/confluence/display/SC/ShibMetaExt+V1.0

I don't see SAML Metadata published for https://idp-test.feide.no
anywhere (e.g. in https://met.refeds.org/ ) so mabe talk to to the
FEIDE folks, at <support at feide.no>.
If you want to take out the guesswork without having to understand the
details of scoped attributes yourself feel free to send references to
that IDP's SAML2.0 Metadata and a copy of the Assertion recieved from
that SP.

As for all the other attributes: If you added back in the "basic"
mappings you had before (but without the unnecessary and incorrect
Scoped attribute decode for what are unscoped attributes) you'd see
those coming though, I'm sure.
-peter


More information about the users mailing list