Shibboleth Issue - Attribute-filter.xml

Peter Schober peter.schober at
Thu Apr 7 12:31:53 EDT 2016

* Byron Sayres <bsayres at> [2016-04-07 17:48]:
> they have only asserted one attribute (named
> "urn:oid:"
> (a.k.a. "eduPersonScopedAffiliation").  They are not releasing any
> of the attributes they have requested us to map.  My first guess
> would be there is an error  in their attribute release policy.

First thing would be looking at your IDP logs (idp-audit.log) to find
out what atributes you actually released to that SP.
(I'm assuming that will only show eduPersonScopedAffiliation below.)

> The requested values to map are
> x-r25-first-name = urn:oid:
> x-r25-family-name = urn:oid:
> x-r25-email-work = urn:oid:0.9.2342.19200300.100.1.3
> x-r25-user = urn:oid:

OK, givenName, sn, mail, ePPN.
But you don't release half of them in the config snipped you sent:

> Here is my attribute-filter.xml
> attribute-filter.xml
>         <afp:AttributeRule attributeID="mail">
>             <afp:PermitValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>
> <afp:AttributeRule attributeID="givenName">
>             <afp:PermitValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>
> <afp:AttributeRule attributeID="sn">
>             <afp:PermitValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>
> <afp:AttributeRule attributeID="sAMAccountName">
>             <afp:PermitValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>
> <afp:AttributeRule attributeID="eduPersonScopedAffiliation">
>             <afp:PermitValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>

You release sAMAccountName instead of ePPN (which is only the source
attribute you populate ePPN from, so probably a copy/paste error from
your resolver configuration) and Nate already pointed out that "sn" !=
(The attributeID values must match the id values from your resolver.)

If it's correct that the SP only recieves eduPersonScopedAffiliation
I'd also suggest that the above probably isn't active at all (reason
would be an incorrect PolicyRequirementRule, as implied above) and
that you release eduPersonScopedAffiliation to the SP from some other
overarching rule. (Possibly one that releases
eduPersonScopedAffiliation to anyone, or some such.)

We can't help with the PolicyRequirementRule as (a) you don't include
it, and (b) even if you did we don't know the correct name of the SP,
but that's where I'd look -- after making sure you know what you
actually released.

More information about the users mailing list