Need help in shibboleth configuration

bhupendra.a.singh at bhupendra.a.singh at
Tue May 23 13:30:33 EDT 2017

Thanks Peter.

I have done the changes as you mentioned below but still not able to get the remote_user in the header request. Please let me know if something is missing.

SAML response:

<Attribute Name="https://federation /schemas/claims/1/enterpriseid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><AttributeValue>EnterpriseID</AttributeValue></Attribute>


    <Attribute nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" name="https://federation/schemas/claims/1/enterpriseid" id="ENTID" />


    <ApplicationDefaults entityID="https://appname/shibboleth"

Thanks & Regards,

-----Original Message-----
From: users [mailto:users-bounces at] On Behalf Of Peter Schober
Sent: Tuesday, May 23, 2017 8:30 PM
To: users at
Subject: Re: Need help in shibboleth configuration

* bhupendra.a.singh at <bhupendra.a.singh at> [2017-05-23 16:46]:
> I have done the changes as mentioned below but still not getting the
> REMOTE_USER value in response.

Did you consult the appropriate documentation?

> <Attribute
> Name=" "
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><Attrib
> uteValue>Enterprise
> ID </AttributeValue></Attribute>

The "Name" of the attribute from the SAML Assertion is what needs to go in to the Attribute/@name in the Shib SP's attribute-map.xml.
(Hence the, well, name.)

> <Attribute name="urn:oid:" id="enterprise_id">
>   <AttributeDecoderxsi:type="ScopedAttributeDecoder"/>
> </Attribute>

You can't just change the "id" of an arbitrary existing entry in the distributed attribute-map.xml. Instead create a new entry (ideally after reading the documentation) and provide the details for *your* attribute name:
The "name" in your attribute-map.xml bares no resemblence at all to the Attribute "Name" from the SAML Assertion. How should the software know that it should look for an attribute named " " when you configiure its name to be "urn:oid:"?

To unsubscribe from this list send an email to users-unsubscribe at


This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.

More information about the users mailing list