Scoped attributes are being filtered
Boyd, Todd M.
tmboyd1 at ccis.edu
Thu Dec 28 12:18:00 EST 2017
To help with troubleshooting, you could try and disable encryption for that SP in relying-party.xml.
Here's an example of an override we have on one of our SPs:
<util:list id="shibboleth.RelyingPartyOverrides">
<bean parent="RelyingPartyByName" c:relyingPartyIds="https://redacted.com">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO" p:encryptAssertions="false" p:signAssertions="true" p:signResponses="false" />
</list>
</property>
</bean>
</util:list>
From: users <users-bounces at shibboleth.net> on behalf of Richard Frovarp <richard.frovarp at ndsu.edu>
Sent: Thursday, December 28, 2017 10:52:29 AM
To: Shib Users
Subject: Scoped attributes are being filtered
I'm trying to upgrade our IdP, and to validate, I'm testing against a
native Shibboleth SP.
The SP is filtering the ePPN and scoped affiliation attributes out. I'm
trying to figure out where my problem is. If I make it so that those two
attributes aren't scope filtered, the SP reports back the correct values
with the correct scope / suffix. This makes me think that the data
leaving the IdP is correct.
To me that indicates that I'm having trouble configuring the SP. The
metadata for the IdP that the SP has the correct scope. However, that
scope isn't using the same subdomain as the entity id or even the URL of
the IdP. Not sure if that makes any difference or not. And of course
everything is encrypted, so trying to look at the raw messages isn't the
easiest.
Any ideas as to which end is wrong?
Thanks,
Richard
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list