Need help in shibboleth configuration
Peter Schober
peter.schober at univie.ac.at
Thu May 25 07:28:55 EDT 2017
* bhupendra.a.singh at accenture.com <bhupendra.a.singh at accenture.com> [2017-05-24 05:18]:
> Please find below the log details.
That's exactly what I said to look out for:
* Peter Schober <peter.schober at univie.ac.at> [2017-05-23 22:57]:
> The SP's shibd.log will tell you what attributes have been ignored
> ("skipping unmapped") due to to not being mapped correctly, or because
> they don't match some policy rules
And your log confirms just that:
> 2017-05-23 13:12:03 INFO Shibboleth.AttributeExtractor.XML [7]:
> skipping unmapped SAML 2.0 Attribute with Name:
> https://federation/schemas/claims/1/enterpriseid,
> Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
This is what you said you have in your SAML Assertion:
* An attribute with the name
"https://federation/schemas/claims/1/enterpriseid"
* and with a NameFormat of
"urn:oasis:names:tc:SAML:2.0:attrname-format:basic".
That is what you put into your attribute-map.xml:
* An attribute with the name
"https://federation-sts-stage/schemas/claims/1/enterpriseid"
* and with a NameFormat of
"urn:oasis:names:tc:SAML:2.0:attrname-format:basic".
* and with a nonsensical "ScopedAttributeDecoder" decoder.
So what are your mistakes:
1. Clearly the string
"https://federation/schemas/claims/1/enterpriseid" is *not* equal to
"https://federation-sts-stage/schemas/claims/1/enterpriseid".
You recieved an attribute with the name of the former, but created a
rule with the name of the latter.
2. The decoder "ScopedAttributeDecoder" is wrong for whatever this
kind of attribute is. Of course Scott already told you so but you
ignored it and decided to copy/paste inapplicable config examples from
other, unrelated attributes instead. "Surprisingly" it doesn't work.
How hard is it to copy and paste a single string into a config file?
Anyway, here's what you should have put into your attribute-map.xml
according to some of the zensored examples you posted to this list:
<Attribute nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
name="https://federation/schemas/claims/1/enterpriseid," id="ENTID">
Personally I suspect this is the result of you "censoring" examples
for the purpose of posting to this list (i.e., I don't believe the
attrbute actually is called
"https://federation/schemas/claims/1/enterpriseid") plus you're
confusing yourself about attribute names vs. host names in DNS.
-peter
More information about the users
mailing list