"Disappearing" Attributes in IdP v3

Mon Apr 25 14:32:16 EDT 2016

I seem to have some attributes that "disappear" in the Attribute Resolver even though their values are found in Active Directory.   Below are excerpts from idp-process.log showing two of the AD attributes/values were found (sn and displayName), but when the attribute resolver tries to map them, it seems to be able to "see" only the sn/surname value from AD, and not the displayName value from AD.

I have also included excerpts from attribute-resolver.xml showing the entries for those two attributes.

My questions are:

*         Any ideas on what could be causing this "disappearing trick"?

*         Any suggestions on how to troubleshoot this?

*         Would having a connection pool accessing various AD domains and OUs have an impact? (Only one instance of the username exists in the entire pool.)

Any help is appreciated!  Thanks!

------------------------------------

>From idp-process.log:

Here we see the values for displayName and sn are found in the data source:
2016-04-22 15:26:40,675 - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractDataConnector:143] - Data Connector 'myAD11': Attribute 'displayName': Values '[StringAttributeValue{value=John Smith}]'
2016-04-22 15:26:40,680 - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractDataConnector:143] - Data Connector 'myAD11': Attribute 'sn': Values '[StringAttributeValue{value=Smith}]'

Here we see the attribute 'surname' getting its value from the AD attribute 'sn':
2016-04-22 15:26:40,689 - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractAttributeDefinition:247] - Attribute Definition 'surname': produced an attribute with the following values [StringAttributeValue{value=Siochi}]
2016-04-22 15:26:40,690 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:272] - Attribute Resolver 'ShibbolethAttributeResolver': Attribute definition 'surname' produced an attribute with 1 values

Here, however, the 'displayName' does not get a value, even though there is something in the 'displayName' AD attribute.
2016-04-22 15:26:40,690 - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractAttributeDefinition:245] - Attribute Definition 'displayName': produced an attribute with no values
2016-04-22 15:26:40,691 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:272] - Attribute Resolver 'ShibbolethAttributeResolver': Attribute definition 'displayName' produced an attribute with 0 values

In attribute-resolver.xml, these are the entries for sn/surname and displayname.

    <resolver:AttributeDefinition xsi:type="ad:Simple" id="surname" sourceAttributeID="sn">
        <resolver:Dependency ref="myAD11" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
    </resolver:AttributeDefinition>

    <resolver:AttributeDefinition xsi:type="ad:Simple" id="displayName" sourceAttributeID="displayName">
        <resolver:Dependency ref="myAD11" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
    </resolver:AttributeDefinition>

------------------
Lucia Siochi
Senior Systems Architect, IT Services
Central Piedmont Community College
Central Campus, Citizens Bldg
PO Box 35009 Charlotte, NC  28235
704.330.6521
www.cpcc.edu<http://www.cpcc.edu/>
[cid:image001.png at 01CCCA1C.75B56920]
We value your feedback. How is our service<http://surveys.cpcc.edu/47408/47408.asp> at CPCC?

________________________________

This e-mail, including any attachments, is intended only for the addressee's use and may contain confidential and proprietary information. If you are not the intended recipient, you are hereby notified that any retention, dissemination, reproduction, or use of the information contained in this e-mail is strictly prohibited. If you have received this e-mail by error, please delete it and immediately notify the sender. Thank you for your cooperation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160425/429d7f24/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 2555 bytes
Desc: image003.jpg
URL: <http://shibboleth.net/pipermail/users/attachments/20160425/429d7f24/attachment-0001.jpg>