SP v2.5.6 transient id error

Mr. Christopher Bland chris at fdu.edu
Sun May 8 18:20:04 EDT 2016 

Hi All,

I  just installed a new v2.5.6 SP on RHEL6 to talk to a v2.4.2 IDP.  The SP is setup like other SPs on campus.  However I keep getting an infinite loop between the SP and the IDP.  From what I can tell there is a breakdown processing the transient  id.  The IDP is receiving the request and sending a response.  The shibd.log shows the following:

2016-05-08 15:06:12 DEBUG Shibboleth.AttributeExtractor.XML [4]: unable to extract attributes, unknown XML object type: saml2p:Response
2016-05-08 15:06:12 DEBUG Shibboleth.AttributeExtractor.XML [4]: skipping unmapped NameID with format (urn:oasis:names:tc:SAML:2.0:nameid-format:transient)
2016-05-08 15:06:12 DEBUG Shibboleth.AttributeExtractor.XML [4]: unable to extract attributes, unknown XML object type: saml2:AuthnStatement

The other attributes released in the response are decoded and processed fine

2016-05-08 15:06:12 DEBUG Shibboleth.AttributeDecoder.String [4]: decoding SimpleAttribute (sn) from SAML 2 Attribute (urn:oid:2.5.4.4) with 1 value(s)
2016-05-08 15:06:12 DEBUG Shibboleth.AttributeDecoder.String [4]: decoding SimpleAttribute (cn) from SAML 2 Attribute (urn:oid:2.5.4.3) with 1 value(s)
2016-05-08 15:06:12 DEBUG Shibboleth.AttributeDecoder.String [4]: decoding SimpleAttribute (givenName) from SAML 2 Attribute (urn:oid:2.5.4.42) with 1 value(s)

The transient id is defined as follows on the IDP

        <resolver:AttributeDefinition id="transientId" xsi:type="TransientId" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
            <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" />

            <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />

        </resolver:AttributeDefinition>


    <resolver:PrincipalConnector xsi:type="Transient" xmlns="urn:mace:shibboleth:2.0:resolver:pc" id="shibTransient"
        nameIDFormat="urn:mace:shibboleth:1.0:nameIdentifier" />

    <resolver:PrincipalConnector xsi:type="Transient" xmlns="urn:mace:shibboleth:2.0:resolver:pc" id="saml1Unspec"
        nameIDFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />

    <resolver:PrincipalConnector xsi:type="Transient" xmlns="urn:mace:shibboleth:2.0:resolver:pc" id="saml2Transient"
        nameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />


I’ve gone through the attribute-map.xml file on this and other SPs and I don’t see historically where it was necessary to define the transient id.

All thoughts and suggestions welcome.

Thank you in advance,

-Chris

More information about the users mailing list