Need help in shibboleth configuration

Peter Schober peter.schober at
Thu May 25 07:28:55 EDT 2017

* bhupendra.a.singh at <bhupendra.a.singh at> [2017-05-24 05:18]:
> Please find below the log details.

That's exactly what I said to look out for:

* Peter Schober <peter.schober at> [2017-05-23 22:57]:
> The SP's shibd.log will tell you what attributes have been ignored
> ("skipping unmapped") due to to not being mapped correctly, or because
> they don't match some policy rules

And your log confirms just that:

> 2017-05-23 13:12:03 INFO Shibboleth.AttributeExtractor.XML [7]:
> skipping unmapped SAML 2.0 Attribute with Name:
> https://federation/schemas/claims/1/enterpriseid,
> Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic

This is what you said you have in your SAML Assertion:

* An attribute with the name
* and with a NameFormat of

That is what you put into your attribute-map.xml:

* An attribute with the name
* and with a NameFormat of
* and with a nonsensical "ScopedAttributeDecoder" decoder.

So what are your mistakes:

1. Clearly the string
"https://federation/schemas/claims/1/enterpriseid" is *not* equal to
You recieved an attribute with the name of the former, but created a
rule with the name of the latter.

2. The decoder "ScopedAttributeDecoder" is wrong for whatever this
kind of attribute is. Of course Scott already told you so but you
ignored it and decided to copy/paste inapplicable config examples from
other, unrelated attributes instead. "Surprisingly" it doesn't work.

How hard is it to copy and paste a single string into a config file?
Anyway, here's what you should have put into your attribute-map.xml
according to some of the zensored examples you posted to this list:

<Attribute nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
  name="https://federation/schemas/claims/1/enterpriseid," id="ENTID">

Personally I suspect this is the result of you "censoring" examples
for the purpose of posting to this list (i.e., I don't believe the
attrbute actually is called
"https://federation/schemas/claims/1/enterpriseid") plus you're
confusing yourself about attribute names vs. host names in DNS.


More information about the users mailing list