Need help in shibboleth configuration

bhupendra.a.singh at accenture.com bhupendra.a.singh at accenture.com
Tue May 30 11:50:23 EDT 2017 

Hi All,

I have to set the attribute value ENTID in the header request. Please help, how can I set this value.

Thanks & Regards,
Bhupendra

-----Original Message-----
From: Singh, Bhupendra A.
Sent: Friday, May 26, 2017 10:21 PM
To: users at shibboleth.net
Subject: RE: Need help in shibboleth configuration

Thanks Peter for your reply.

1. As you mentioned below to see the shibd.log so we have found the exact issue.


2. The decoder "ScopedAttributeDecoder" is wrong for whatever this kind of attribute is. Of course Scott already told you so but you ignored it and decided to copy/paste inapplicable config examples from other, unrelated attributes instead. "Surprisingly" it doesn't work.
 -  I have removed the decoder from the attribute-map.xml

3.

SAML Response:

                               <Attribute
Name="https://federation-sts.accenture.com/schemas/claims/1/enterpriseid"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue>john </AttributeValue>
</Attribute>

Attribute-map.xml:

                                               <Attribute
                                                         name="https://federation-sts-stage.accenture.com/schemas/claims/1/enterpriseid"
                                                         nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="ENTID" />

After all the changes I am still getting the same error.

Thanks & Regards,
Bhupendra
-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Peter Schober
Sent: Thursday, May 25, 2017 4:59 PM
To: users at shibboleth.net
Subject: Re: Need help in shibboleth configuration

* bhupendra.a.singh at accenture.com <bhupendra.a.singh at accenture.com> [2017-05-24 05:18]:
> Please find below the log details.

That's exactly what I said to look out for:

* Peter Schober <peter.schober at univie.ac.at> [2017-05-23 22:57]:
> The SP's shibd.log will tell you what attributes have been ignored
> ("skipping unmapped") due to to not being mapped correctly, or because
> they don't match some policy rules

And your log confirms just that:

> 2017-05-23 13:12:03 INFO Shibboleth.AttributeExtractor.XML [7]:
> skipping unmapped SAML 2.0 Attribute with Name:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__federation_schema
> s_claims_1_enterpriseid&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8Ir
> wNKOtkVU&r=iyop1o4k3D-LmubkaV19fs58JOYX7uCPiqL6a-rQTeM&m=v4fv9Fa0JB6mm
> ZhpT7Al9HDiiY-czGtTvnAXyatH6hE&s=BTMZnMOj6FAViB2rSY_Jy81jk5tDb-ffcJw6X
> kphTJs&e= , Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic

This is what you said you have in your SAML Assertion:

* An attribute with the name
  "https://urldefense.proofpoint.com/v2/url?u=https-3A__federation_schemas_claims_1_enterpriseid&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=iyop1o4k3D-LmubkaV19fs58JOYX7uCPiqL6a-rQTeM&m=v4fv9Fa0JB6mmZhpT7Al9HDiiY-czGtTvnAXyatH6hE&s=BTMZnMOj6FAViB2rSY_Jy81jk5tDb-ffcJw6XkphTJs&e= "
* and with a NameFormat of
  "urn:oasis:names:tc:SAML:2.0:attrname-format:basic".

That is what you put into your attribute-map.xml:

* An attribute with the name
  "https://urldefense.proofpoint.com/v2/url?u=https-3A__federation-2Dsts-2Dstage_schemas_claims_1_enterpriseid&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=iyop1o4k3D-LmubkaV19fs58JOYX7uCPiqL6a-rQTeM&m=v4fv9Fa0JB6mmZhpT7Al9HDiiY-czGtTvnAXyatH6hE&s=uybtOd251VBYrCYhYzNe8LK-0UWYXIxH0TXVhXsm848&e= "
* and with a NameFormat of
  "urn:oasis:names:tc:SAML:2.0:attrname-format:basic".
* and with a nonsensical "ScopedAttributeDecoder" decoder.

So what are your mistakes:

1. Clearly the string
"https://urldefense.proofpoint.com/v2/url?u=https-3A__federation_schemas_claims_1_enterpriseid&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=iyop1o4k3D-LmubkaV19fs58JOYX7uCPiqL6a-rQTeM&m=v4fv9Fa0JB6mmZhpT7Al9HDiiY-czGtTvnAXyatH6hE&s=BTMZnMOj6FAViB2rSY_Jy81jk5tDb-ffcJw6XkphTJs&e= " is *not* equal to "https://urldefense.proofpoint.com/v2/url?u=https-3A__federation-2Dsts-2Dstage_schemas_claims_1_enterpriseid&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=iyop1o4k3D-LmubkaV19fs58JOYX7uCPiqL6a-rQTeM&m=v4fv9Fa0JB6mmZhpT7Al9HDiiY-czGtTvnAXyatH6hE&s=uybtOd251VBYrCYhYzNe8LK-0UWYXIxH0TXVhXsm848&e= ".
You recieved an attribute with the name of the former, but created a rule with the name of the latter.   -

2. The decoder "ScopedAttributeDecoder" is wrong for whatever this kind of attribute is. Of course Scott already told you so but you ignored it and decided to copy/paste inapplicable config examples from other, unrelated attributes instead. "Surprisingly" it doesn't work.   -

How hard is it to copy and paste a single string into a config file?
Anyway, here's what you should have put into your attribute-map.xml according to some of the zensored examples you posted to this list:

<Attribute nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
  name="https://urldefense.proofpoint.com/v2/url?u=https-3A__federation_schemas_claims_1_enterpriseid&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=iyop1o4k3D-LmubkaV19fs58JOYX7uCPiqL6a-rQTeM&m=v4fv9Fa0JB6mmZhpT7Al9HDiiY-czGtTvnAXyatH6hE&s=BTMZnMOj6FAViB2rSY_Jy81jk5tDb-ffcJw6XkphTJs&e= ," id="ENTID">

Personally I suspect this is the result of you "censoring" examples for the purpose of posting to this list (i.e., I don't believe the attrbute actually is called "https://urldefense.proofpoint.com/v2/url?u=https-3A__federation_schemas_claims_1_enterpriseid&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=iyop1o4k3D-LmubkaV19fs58JOYX7uCPiqL6a-rQTeM&m=v4fv9Fa0JB6mmZhpT7Al9HDiiY-czGtTvnAXyatH6hE&s=BTMZnMOj6FAViB2rSY_Jy81jk5tDb-ffcJw6XkphTJs&e= ") plus you're confusing yourself about attribute names vs. host names in DNS.

-peter
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________

www.accenture.com

More information about the users mailing list