missing attributes in output from idpv3 /cas/serviceValidate

Paul B. Henson henson at cpp.edu
Wed Apr 6 20:22:36 EDT 2016

On Wed, Apr 06, 2016 at 09:40:40PM +0000, Cantor, Scott wrote:
> The logging class name to look for ends in
> PrepareTicketValidationResponseAction, it logs on DEBUG when it loops
> over the attribute set to include them in the response object that the
> message gets built with.

When I call the samlValidate endpoint, the logs include:

2016-04-06 16:59:25,075 - DEBUG [net.shibboleth.idp.cas.flow.impl.PrepareTicketValidationResponseAction:111] - Processing IdPAttribute{id=cppEduPersonAffiliation, displayNames={}, displayDescriptions={}, encoders=[net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder at 7302b65a], values=[StringAttributeValue{value=member}, StringAttributeValue{value=staff}, StringAttributeValue{value=eoc_essential}, StringAttributeValue{value=employee}]}

But when I call the serviceValidate endpoint, there are no entries from
that class :(. However, there are entries from the attribute filter

2016-04-06 17:03:36,051 - DEBUG [net.shibboleth.idp.attribute.filter.AttributeFilterPolicy:132] - Attribute Filter Policy 'cas-cppEduPersonAffiliation'  Policy is active for this request
2016-04-06 17:03:36,052 - DEBUG [net.shibboleth.idp.attribute.filter.AttributeFilterPolicy:159] - Attribute Filter Policy 'cas-cppEduPersonAffiliation'  Applying attribute filter policy to current set of attributes: [uid, eduPersonPrincipalName, eduPersonAffiliation, eduPersonPrimaryAffiliation, calstateEduPersonPrimaryAffiliation, organizationName, eduPersonScopedAffiliation, surname, givenName, memberOf, calstateEduPersonAffiliation, title, calstateEduPersonID, eduPersonOrgDN, initials, calstateEduPersonEmplID, eduPersonEntitlement, organizationalUnit, cppEduPersonAffiliation, mail, calstateEduPersonPrincipalName, campusLabsCardId, eduPersonTargetedID, calstateEduPersonOrg, cn, calstateEduPersonAssuranceLevel, telephoneNumber, displayName]
2016-04-06 17:03:36,052 - DEBUG [net.shibboleth.idp.attribute.filter.AttributeRule:168] - Attribute filtering engine '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/AttributeRule:_e60b93f7de5d48d591579da43728b17a'  Filtering values for attribute 'cppEduPersonAffiliation' which currently contains 4 values
2016-04-06 17:03:36,052 - DEBUG [net.shibboleth.idp.attribute.filter.AttributeRule:177] - Attribute filtering engine '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/AttributeRule:_e60b93f7de5d48d591579da43728b17a'  Filter has permitted the release of 4 values for attribute 'cppEduPersonAffiliation'
2016-04-06 17:03:36,060 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:167] - Attribute filtering engine 'ShibbolethAttributeFilter': 4 values for attribute 'cppEduPersonAffiliation' remained after filtering

So the attributes are getting released, but for some reason the
serviceValidate endpoint isn't including them? Should I open a bug? Or
is there possibly something wrong with my configuration? I don't see how
I could have a configuration that works for samlValidate but not
serviceValidate but who knows :).


Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
Operating Systems and Network Analyst  |  henson at cpp.edu
California State Polytechnic University  |  Pomona CA 91768

More information about the users mailing list