SP removing attribute value
cathystill at gmail.com
Fri Jul 21 17:53:33 EDT 2017
The IdP metadata does not include <shibmd:Scope>. In fact, on closer
inspection, their metadata looks very different what I've seen before.
Below is the first part of their metadata. Can you tell me what I need to
request instead of what they have provided. Appreciate your help!
<md:EntityDescriptor ID="xxxxxxx" cacheDuration="PT120M" entityID="
On Fri, Jul 21, 2017 at 1:33 PM, Tom Scavo <trscavo at gmail.com> wrote:
> On Fri, Jul 21, 2017 at 3:55 PM, Cathy Scott <cathystill at gmail.com> wrote:
> > Running the current version of Shibboleth SP with Apache HTTPD for a Java
> > app on Windows. Client IdP is PingFederate. Attribute released is eppn.
> > Shibboleth creates the attribute mapping. But then removes the value.
> > can successfully authenticate but no attribute is passed.
> Either the IdP doesn't release the attribute or the SP doesn't accept it.
> > INFO Shibboleth.AttributeExtractor.XML : loaded XML resource
> > (C:/opt/shibboleth-sp/etc/shibboleth/attribute-map.xml)
> > INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute
> > urn:oid:22.214.171.124.4.1.59126.96.36.199.6
> > WARN Shibboleth.AttributeFilter : removed value at position (0) of
> > attribute (eppn) from (https://institution.edu)
> > WARN Shibboleth.AttributeFilter : no values left, removing attribute
> > (eppn) from (https://institution.edu)
> ePPN is a scoped attribute. By default, the Shibboleth SP filters
> ePPNs with scopes it doesn't recognize.
> Check the IdP metadata. Does it contain a <shibmd:Scope> extension
> element with the required scope? If not, that's the problem.
> You can configure the SP to relax its scope checking behavior but
> that's dangerous. Instead focus on the metadata.
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users