Need help in shibboleth configuration

bhupendra.a.singh at accenture.com bhupendra.a.singh at accenture.com
Tue May 23 13:30:33 EDT 2017 

Thanks Peter.

I have done the changes as you mentioned below but still not able to get the remote_user in the header request. Please let me know if something is missing.

SAML response:

<Attribute Name="https://federation /schemas/claims/1/enterpriseid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><AttributeValue>EnterpriseID</AttributeValue></Attribute>

Attribute-map.xml

    <Attribute nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" name="https://federation/schemas/claims/1/enterpriseid" id="ENTID" />

Shibboleth2.xml

    <ApplicationDefaults entityID="https://appname/shibboleth"
                         REMOTE_USER="ENTID">

Thanks & Regards,
Bhupendra

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Peter Schober
Sent: Tuesday, May 23, 2017 8:30 PM
To: users at shibboleth.net
Subject: Re: Need help in shibboleth configuration

* bhupendra.a.singh at accenture.com <bhupendra.a.singh at accenture.com> [2017-05-23 16:46]:
> I have done the changes as mentioned below but still not getting the
> REMOTE_USER value in response.

Did you consult the appropriate documentation?

> <Attribute
> Name="https://urldefense.proofpoint.com/v2/url?u=https-3A__federation-2Dsts_schemas_claims_1_enterpriseid&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=iyop1o4k3D-LmubkaV19fs58JOYX7uCPiqL6a-rQTeM&m=B6X57QRVFk0ppi07gtQ74KDFd_paUe1YvCuCgK90Wxg&s=wco2q7E9Cjnw91jWP6sNgOoKzFmtxQD4GSblRzTqZeA&e= "
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><Attrib
> uteValue>Enterprise
> ID </AttributeValue></Attribute>

The "Name" of the attribute from the SAML Assertion is what needs to go in to the Attribute/@name in the Shib SP's attribute-map.xml.
(Hence the, well, name.)

> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="enterprise_id">
>   <AttributeDecoderxsi:type="ScopedAttributeDecoder"/>
> </Attribute>

You can't just change the "id" of an arbitrary existing entry in the distributed attribute-map.xml. Instead create a new entry (ideally after reading the documentation) and provide the details for *your* attribute name:
The "name" in your attribute-map.xml bares no resemblence at all to the Attribute "Name" from the SAML Assertion. How should the software know that it should look for an attribute named "https://urldefense.proofpoint.com/v2/url?u=https-3A__federation-2Dsts_schemas_claims_1_enterpriseid&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=iyop1o4k3D-LmubkaV19fs58JOYX7uCPiqL6a-rQTeM&m=B6X57QRVFk0ppi07gtQ74KDFd_paUe1YvCuCgK90Wxg&s=wco2q7E9Cjnw91jWP6sNgOoKzFmtxQD4GSblRzTqZeA&e= " when you configiure its name to be "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"?

-peter
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________

www.accenture.com

More information about the users mailing list