Encoded principle attribute

Mackay, Rob Rob.Mackay at ellucian.com
Mon May 2 16:28:50 EDT 2016

   Thanks for the response and the patience.

  This is a cas shib install using shib 2.4.0 as the IDP and CAS server 3.5.3, the workflow follows the pattern of 1) SSO login 2) launch to Office365 3) SAML request inbound 4) SAML response fails due to encrypted user principle causing failure of attribute return as you noted, the value for user principle in this situation should be coming from the CAS assertion based on the unicon cas-shib bridge implementation.

I see proper redirect to the CAS login page when a request is submitted outside of an SSO session with expected behavior forwarding back to the proper app upon failure of the SAML request so it appears the cas login config is working correctly.

validated that all config elements from this wiki entry are correct:

Rob MacKay

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Monday, May 2, 2016 11:39 AM
To: Shib Users
Subject: RE: Encoded principle attribute

> 09:18:18.656 - WARN
> [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHa
> ndler:491] - No attribute of principal 'rdeWOox+N8Gc626Gq/ZXarrUzjM=' can be encoded in to a NameIdentifier of required format 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent' for relying party 'urn:federation:MicrosoftOnline'

Well, I don't know what to tell you, but you have something doing authentication that's supplying it with a username that's incomprehensible. I certainly don't think that's typical, but I guess that's really up to you, authentication is a local matter. I don't know what you're doing to handle that and you didn't say.

Whether that's usable in our LDAP lookup is also a local matter.

The log just means what it says, you don't have an attribute resolved that has a NameID encoder attached of that Format. I would imagine the LDAP lookup returns nothing and so there are no attributes resolved.

> with a response of
> <saml2p:Status>
>       <saml2p:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
>          <saml2p:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>

That means an SP explicitly demanded a particular Format and it couldn't satisfy the request.

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list