eliminating warnings for unscoped attributes

Mizushima, Marcus mmizushima at calstate.edu
Wed Jan 20 12:45:34 EST 2016 

I believe the Shibboleth SP ships with a PermitValueRule that checks the values for eduPersonAffiliation ("unscoped-affiliation") and will remove values that aren't in the set. Check your attribute-policy.xml file to verify if your SP is using it.

However, the value being asserted by the IdP is "Consultant", which isn't one of the permissible values for eduPersonAffiliation (see https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-eduperson-201203.html#eduPersonAffiliation). 

In short, your SP appears to be (correctly) not accepting values outside of the permissible values for eduPersonAffiliation. Tell the IdP to stop it.

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of csross
Sent: Wednesday, January 20, 2016 9:32 AM
To: users at shibboleth.net
Subject: eliminating warnings for unscoped attributes

I was looking at the shibd.logs on my SP from a client that has a simplsaml IDP.  The users have no problems logging in but I see one or two warning messages with each login attempt.  

I have been researching and checking other posts but I want to understand what to tell the IDP to change to eliminate the error.  I don't see these warnings for other IDPs.  I believe/think the warning means that since it was not a scoped attribute (@site.com), shibboleth dropped it?  

SHIBD WARN
2016-01-19 14:59:22 WARN Shibboleth.AttributeFilter [2]: removed value at position (0) of attribute (unscoped-affiliation) from
(http://site.site.edu/simplesaml-coi/saml2/idp/metadata.php)
2016-01-19 14:59:22 WARN Shibboleth.AttributeFilter [2]: no values left, removing attribute (unscoped-affiliation) from
(http://site.site.edu/simplesaml-coi/saml2/idp/metadata.php)

I see in my attribute.map the unscoped-affiliation entry, and I believe the shibd.log entry (below) shows that field coming over.  I know there are lots of posts but I don’t definitely know what to suggest to the client in order to eliminate it.  Is it as simple as saying “don’t send that attribute”?  I see they are sending many unmapped attributes that are not generating warnings. 


SHIBD LOG
..
<saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue
xsi:type="xs:string">Consultant</saml:AttributeValue></saml:Attribute>
..


ATTRIBUTE MAP
 <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation"
id="unscoped-affiliation">
        <AttributeDecoder xsi:type="StringAttributeDecoder"
caseSensitive="false"/>
    </Attribute>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
id="unscoped-affiliation">
        <AttributeDecoder xsi:type="StringAttributeDecoder"
caseSensitive="false"/>
    </Attribute>

Thank you



--
View this message in context: http://shibboleth.1660669.n2.nabble.com/eliminating-warnings-for-unscoped-attributes-tp7621955.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list