Need help in shibboleth configuration

bhupendra.a.singh at accenture.com bhupendra.a.singh at accenture.com
Wed May 24 04:02:18 EDT 2017 

Hi Peter,

Please find below the shibd.log.

Shibd.log

2017-05-24 03:24:16 DEBUG Shibboleth.AttributeExtractor.XML [3]: unable to extract attributes, unknown XML object type: samlp:Response
2017-05-24 03:24:16 DEBUG Shibboleth.AttributeExtractor.XML [3]: skipping unmapped NameID with format (urn:oasis:names:tc:SAML:2.0:nameid-format:string)
2017-05-24 03:24:16 DEBUG Shibboleth.AttributeExtractor.XML [3]: unable to extract attributes, unknown XML object type: {urn:oasis:names:tc:SAML:2.0:assertion}AuthnStatement
2017-05-24 03:24:16 INFO Shibboleth.AttributeExtractor.XML [3]: skipping unmapped SAML 2.0 Attribute with Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
2017-05-24 03:24:16 INFO Shibboleth.AttributeExtractor.XML [3]: skipping unmapped SAML 2.0 Attribute with Name: https://federation/schemas/claims/1/enterpriseid, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
2017-05-24 03:24:16 INFO Shibboleth.AttributeExtractor.XML [3]: skipping unmapped SAML 2.0 Attribute with Name: https://federation/schemas/claims/1/peoplekey, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
2017-05-24 03:24:16 INFO Shibboleth.AttributeExtractor.XML [3]: skipping unmapped SAML 2.0 Attribute with Name: https://federation/schemas/claims/1/personnelnumber, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
2017-05-24 03:24:16 INFO Shibboleth.AttributeExtractor.XML [3]: skipping unmapped SAML 2.0 Attribute with Name: http://schemas.xmlsoap.org/claims/Group, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
2017-05-24 03:24:16 DEBUG Shibboleth.SSO.SAML2 [3]: resolving attributes...
2017-05-24 03:24:16 DEBUG Shibboleth.AttributeResolver.Query [3]: found AttributeStatement in input to new session, skipping query

Thanks & Regards,
Bhupendra


-----Original Message-----
From: Singh, Bhupendra A.
Sent: Wednesday, May 24, 2017 8:47 AM
To: users at shibboleth.net
Subject: RE: Need help in shibboleth configuration

Hi Peter,

Please find below the log details. I could not find anything specific to my issue in error_log and ss_error_log. The blank space was a typo in my mail otherwise it is correct in the configuration. Please provide the policy details which I have to take care.

Shibd.log

2017-05-23 13:12:03 INFO Shibboleth.AttributeExtractor.XML [7]: skipping unmapped SAML 2.0 Attribute with Name: https://federation/schemas/claims/1/enterpriseid, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic

Transaction.log

2017-05-23 13:07:29 INFO Shibboleth-TRANSACTION [6]: Cached the following attributes with session (ID: _c6c635286740fa2d4c3d9249942ad67f) for (applicationId: default) {
2017-05-23 13:07:29 INFO Shibboleth-TRANSACTION [6]: }
2017-05-23 13:12:03 INFO Shibboleth-TRANSACTION [7]: New session (ID: _198a1eb5486cbeb597eeb9e547d8683c) with (applicationId: default) for principal from (IdP: urn:federation:stage) at (ClientAddress: 0.0.0.0) with (NameIdentifier: Enterprise_ID) using (Protocol: urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: _2bf81ac2-6fc4-4877-ac53-1706ab46e86c)
2017-05-23 13:12:03 INFO Shibboleth-TRANSACTION [7]: Cached the following attributes with session (ID: _198a1eb5486cbeb597eeb9e547d8683c) for (applicationId: default) {
2017-05-23 13:12:03 INFO Shibboleth-TRANSACTION [7]: }

Thanks & Regards,
Bhupendra
-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Peter Schober
Sent: Wednesday, May 24, 2017 2:27 AM
To: users at shibboleth.net
Subject: Re: Need help in shibboleth configuration

* bhupendra.a.singh at accenture.com <bhupendra.a.singh at accenture.com> [2017-05-23 19:31]:
> I have done the changes as you mentioned below but still not able to
> get the remote_user in the header request. Please let me know if
> something is missing.

Your Shib config looks OK, from what I can tell (though it doesn't match the SAML Attribute, as that has a blank space in its Attribute/@Name in your previous email:
  Name="https://urldefense.proofpoint.com/v2/url?u=https-3A__federation&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=iyop1o4k3D-LmubkaV19fs58JOYX7uCPiqL6a-rQTeM&m=gVmuJ7_9T3bCn5eop2Qqc4Iwedn3ObIapb_g6QcB8i0&s=Phxc80izv5iJYX1M_vk03yz_9NFwgdP1Ea5TdRzVlCE&e=  /schemas/claims/1/enterpriseid"
while your attribute-map.xml has none. I'll write that up to copy/paste issues with your email but your logs will tell you exactly what's happening:

The SP's shibd.log will tell you what attributes have been ignored ("skipping unmapped") due to to not being mapped correctly, or because they don't match some policy rules, the SP's transaction.log will tell you what attributes have been recieved and mapped successfully, and finally Apache httpd's access log will tell you what it things about REMOTE_USER.

-peter
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________

www.accenture.com

More information about the users mailing list