Shibboleth Issue - Attribute-filter.xml

Byron Sayres bsayres at rcc.mass.edu
Thu Apr 7 11:48:15 EDT 2016 

Looking for assistance with a new Shibboleth instance. Authentication is working and seems to be passing to 3rd party. Now my issue is what I’m allowing via attribute-filter.xml. The 3rd party wrote me the below email. Any help on decoding what they are saying and how to fix it would be awesome!


Email from 3rd Party:

The requested values to map are
x-r25-first-name = urn:oid:2.5.4.42
x-r25-family-name = urn:oid:2.5.4.4
x-r25-email-work = urn:oid:0.9.2342.19200300.100.1.3
x-r25-user = urn:oid:1.3.6.1.4.1.5923.1.1.1.6

It looks like there is a miscommunication in the release policy. Here's the info from our auth team

they have only asserted one attribute (named "urn:oid:1.3.6.1.4.1.5923.1.1.1.9" (a.k.a. "eduPersonScopedAffiliation").  They are not releasing any of the attributes they have requested us to map.  My first guess would be there is an error  in their attribute release policy.  One common thing missed is to leave the trailing / off our entity ID.



Here is my attribute-resolver.xml

attribute-resolver.xml
 <!-- email is Email Address -->
    <resolver:AttributeDefinition xsi:type="ad:Scoped" id="email" scope="mydomain.dom" sourceAttributeID="mail">
        <resolver:Dependency ref="ActiveDirectory" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
    </resolver:AttributeDefinition>

    <!-- surname  is Last Name -->
    <resolver:AttributeDefinition xsi:type="ad:Scoped" id="surname" scope="mydomain.dom" sourceAttributeID="sn">
        <resolver:Dependency ref="ActiveDirectory" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:sn" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" />
    </resolver:AttributeDefinition>

    <!-- givenName is First Name -->
    <resolver:AttributeDefinition xsi:type="ad:Scoped" id="givenName" scope="mydomain.dom" sourceAttributeID="givenName">
        <resolver:Dependency ref="ActiveDirectory" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:givenName" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" />
    </resolver:AttributeDefinition>

     <resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonPrincipalName" scope="mydomain.dom" sourceAttributeID="sAMAccountName">
        <resolver:Dependency ref="ActiveDirectory" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" />
    </resolver:AttributeDefinition>

<resolver:DataConnector id="ActiveDirectory" xsi:type="dc:LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
ldapURL="ldaps://server.mydomain.dom:636"
connectionStrategy="DEFAULT"
baseDN=“dc=mydomain,dc=dom"
principal=“CN=shibserv,OU=Services,DC=mydomain,DC=dom"
principalCredential=“password">
<dc:FilterTemplate>
<![CDATA[
(sAMAccountName=$requestContext.principalName)
]]>
</dc:FilterTemplate>

<ReturnAttributes>sAMAccountName mail givenName sn displayName</ReturnAttributes>

<LDAPProperty name="java.naming.referral" value="follow" />

</resolver:DataConnector>


Here is my attribute-filter.xml

attribute-filter.xml
        <afp:AttributeRule attributeID="mail">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>

<afp:AttributeRule attributeID="givenName">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
<afp:AttributeRule attributeID="sn">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
<afp:AttributeRule attributeID="sAMAccountName">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>

<afp:AttributeRule attributeID="eduPersonScopedAffiliation">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160407/e954e797/attachment-0001.html>

More information about the users mailing list