Shibboleth Issue - Attribute-filter.xml

Nate Klingenstein ndk at sudonym.me
Thu Apr 7 11:54:45 EDT 2016 

Byron,

If you turn the logging to DEBUG for relevant categories — main and ldap, I think — you’ll be able to see exactly which attributes are available at which point in the flow processing.

They could be dropping the attributes on their end, or you could not have the intended attributes populated or readable by this service account, or more.

The only thing I saw that absolutely won’t work is the release rule for “sn”.  You’ve got it defined as “surname” rather than “sn”.

Take care,
Nate.

> On Apr 7, 2016, at 09:48, Byron Sayres <bsayres at rcc.mass.edu> wrote:
> 
> Looking for assistance with a new Shibboleth instance. Authentication is working and seems to be passing to 3rd party. Now my issue is what I’m allowing via attribute-filter.xml. The 3rd party wrote me the below email. Any help on decoding what they are saying and how to fix it would be awesome!
> 
> 
> Email from 3rd Party: 
> 
> The requested values to map are 
> x-r25-first-name = urn:oid:2.5.4.42
> x-r25-family-name = urn:oid:2.5.4.4
> x-r25-email-work = urn:oid:0.9.2342.19200300.100.1.3
> x-r25-user = urn:oid:1.3.6.1.4.1.5923.1.1.1.6
> 
> It looks like there is a miscommunication in the release policy. Here's the info from our auth team 
> 
> they have only asserted one attribute (named "urn:oid:1.3.6.1.4.1.5923.1.1.1.9" (a.k.a. "eduPersonScopedAffiliation").  They are not releasing any of the attributes they have requested us to map.  My first guess would be there is an error  in their attribute release policy.  One common thing missed is to leave the trailing / off our entity ID.
> 
> 
> 
> Here is my attribute-resolver.xml
> 
> attribute-resolver.xml
>  <!-- email is Email Address -->
>     <resolver:AttributeDefinition xsi:type="ad:Scoped" id="email" scope="mydomain.dom" sourceAttributeID="mail">
>         <resolver:Dependency ref="ActiveDirectory" />
>         <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" />
>         <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
>     </resolver:AttributeDefinition>
> 
>     <!-- surname  is Last Name -->
>     <resolver:AttributeDefinition xsi:type="ad:Scoped" id="surname" scope="mydomain.dom" sourceAttributeID="sn">
>         <resolver:Dependency ref="ActiveDirectory" />
>         <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:sn" />
>         <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" />
>     </resolver:AttributeDefinition>
> 
>     <!-- givenName is First Name -->
>     <resolver:AttributeDefinition xsi:type="ad:Scoped" id="givenName" scope="mydomain.dom" sourceAttributeID="givenName">
>         <resolver:Dependency ref="ActiveDirectory" />
>         <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:givenName" />
>         <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" />
>     </resolver:AttributeDefinition>
> 
>      <resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonPrincipalName" scope="mydomain.dom" sourceAttributeID="sAMAccountName">
>         <resolver:Dependency ref="ActiveDirectory" />
>         <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" />
>         <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" />
>     </resolver:AttributeDefinition>
> 
> <resolver:DataConnector id="ActiveDirectory" xsi:type="dc:LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
> ldapURL="ldaps://server.mydomain.dom:636"
> connectionStrategy="DEFAULT"
> baseDN=“dc=mydomain,dc=dom" 
> principal=“CN=shibserv,OU=Services,DC=mydomain,DC=dom"
> principalCredential=“password">
> <dc:FilterTemplate>
> <![CDATA[
> (sAMAccountName=$requestContext.principalName)
> ]]>
> </dc:FilterTemplate>
> 
> <ReturnAttributes>sAMAccountName mail givenName sn displayName</ReturnAttributes>
> 
> <LDAPProperty name="java.naming.referral" value="follow" />
> 
> </resolver:DataConnector>
> 
> 
> Here is my attribute-filter.xml
> 
> attribute-filter.xml
>         <afp:AttributeRule attributeID="mail">
>             <afp:PermitValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>
> 
> <afp:AttributeRule attributeID="givenName">
>             <afp:PermitValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>
> <afp:AttributeRule attributeID="sn">
>             <afp:PermitValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>
> <afp:AttributeRule attributeID="sAMAccountName">
>             <afp:PermitValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>
> 
> <afp:AttributeRule attributeID="eduPersonScopedAffiliation">
>             <afp:PermitValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>
> -- 
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160407/d1ac82cf/attachment-0001.html>

More information about the users mailing list