SP removing attribute value
Tom Scavo
trscavo at gmail.com
Fri Jul 21 16:33:17 EDT 2017
On Fri, Jul 21, 2017 at 3:55 PM, Cathy Scott <cathystill at gmail.com> wrote:
>
> Running the current version of Shibboleth SP with Apache HTTPD for a Java
> app on Windows. Client IdP is PingFederate. Attribute released is eppn.
> Shibboleth creates the attribute mapping. But then removes the value. Users
> can successfully authenticate but no attribute is passed.
Either the IdP doesn't release the attribute or the SP doesn't accept it.
> INFO Shibboleth.AttributeExtractor.XML : loaded XML resource
> (C:/opt/shibboleth-sp/etc/shibboleth/attribute-map.xml)
> INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute
> urn:oid:1.3.6.1.4.1.5923.1.1.1.6
> WARN Shibboleth.AttributeFilter [1]: removed value at position (0) of
> attribute (eppn) from (https://institution.edu)
> WARN Shibboleth.AttributeFilter [1]: no values left, removing attribute
> (eppn) from (https://institution.edu)
ePPN is a scoped attribute. By default, the Shibboleth SP filters
ePPNs with scopes it doesn't recognize.
Check the IdP metadata. Does it contain a <shibmd:Scope> extension
element with the required scope? If not, that's the problem.
You can configure the SP to relax its scope checking behavior but
that's dangerous. Instead focus on the metadata.
Tom
More information about the users
mailing list