SP removing attribute value

Cathy Scott cathystill at gmail.com
Fri Jul 21 17:53:33 EDT 2017 

Thank Tom,

The IdP metadata does not include <shibmd:Scope>.  In fact, on closer
inspection, their metadata looks very different what I've seen before.
Below is the first part of their metadata.  Can you tell me what I need to
request instead of what they have provided.  Appreciate your help!

<md:EntityDescriptor ID="xxxxxxx" cacheDuration="PT120M" entityID="
https://institution.edu"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><ds:Signature xmlns:ds="
http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#xxxxxxx">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>hrIX5EfyqcahZ7Hqg5sprRR22BVrSlUI6O+CZ1AtjC8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>



On Fri, Jul 21, 2017 at 1:33 PM, Tom Scavo <trscavo at gmail.com> wrote:

> On Fri, Jul 21, 2017 at 3:55 PM, Cathy Scott <cathystill at gmail.com> wrote:
> >
> > Running the current version of Shibboleth SP with Apache HTTPD for a Java
> > app on Windows. Client IdP is PingFederate.  Attribute released is eppn.
> > Shibboleth creates the attribute mapping. But then removes the value.
> Users
> > can successfully authenticate but no attribute is passed.
>
> Either the IdP doesn't release the attribute or the SP doesn't accept it.
>
> > INFO Shibboleth.AttributeExtractor.XML : loaded XML resource
> > (C:/opt/shibboleth-sp/etc/shibboleth/attribute-map.xml)
> > INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute
> > urn:oid:1.3.6.1.4.1.5923.1.1.1.6
> > WARN Shibboleth.AttributeFilter [1]: removed value at position (0) of
> > attribute (eppn) from (https://institution.edu)
> > WARN Shibboleth.AttributeFilter [1]: no values left, removing attribute
> > (eppn) from (https://institution.edu)
>
> ePPN is a scoped attribute. By default, the Shibboleth SP filters
> ePPNs with scopes it doesn't recognize.
>
> Check the IdP metadata. Does it contain a <shibmd:Scope> extension
> element with the required scope? If not, that's the problem.
>
> You can configure the SP to relax its scope checking behavior but
> that's dangerous. Instead focus on the metadata.
>
> Tom
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170721/cfaa6eb0/attachment-0001.html>

More information about the users mailing list