Access Denied

Tabitha O. Locklear tabithao.locklear at
Tue Aug 7 14:49:47 EDT 2018

I copied the V2 config attribute-resolver.xml and attribute-filter.xml files onto the V3 server

The are configured for legacy.

# Comment out to disable legacy NameID generation via Attribute Resolver

idp.nameid.saml2.legacyGenerator = shibboleth.LegacySAML2NameIDGenerator

idp.nameid.saml1.legacyGenerator = shibboleth.LegacySAML1NameIdentifierGenerator

The result is the same as before Access Is Denied.

The report from the SP

[cid:image003.jpg at 01D42E5D.E2210CC0]

Back when we first created a login for our SP we used this documentation.

1.  have a deny policy to not release transient ID

2.  new definition for username in resolver the username not as string, but nameid

3.  release this username to SP

4. nameid's cannot be encrypted

In our Attribute-Filter.xml we have


    <afp:AttributeFilterPolicy id="releaseTransientId">

        <afp:PolicyRequirementRule xsi:type="basic:NOT">

        <basic:Rule xsi:type="basic:AttributeRequesterString" value="" />


        <afp:AttributeRule attributeID="transientId">

            <afp:PermitValueRule xsi:type="basic:ANY"/>




<resolver:AttributeDefinition id="Login" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"


        <resolver:Dependency ref="myAD" />

        <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"

            nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:transient" />

        <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"

                                nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />



<AttributeFilterPolicy id="releaseLoginToSAASIT">

        <PolicyRequirementRule xsi:type="Requester" value="" />

        <AttributeRule attributeID="Login">

        <PermitValueRule xsi:type="ANY" />



I copied the relying-party.xml.dist file and inserted the part for the SP.



<!-- Container for any overrides you want to add. -->

    <util:list id="shibboleth.RelyingPartyOverrides">


                     Override example that identifies a single RP by name and configures it

        for SAML 2 SSO without encryption. This is a common "vendor" scenario.


                <bean parent="RelyingPartyByName" c:relyingPartyIds="">

        <property name="profileConfigurations">


            <bean parent="SAML2.SSO" p:encryptNameIDs="false" p:encryptAssertions="false" />

            <bean parent="SAML2.AttributeQuery" p:encryptAssertions="false" p:encryptNameIDs="false" />





But the result is still the same.

-----Original Message-----
From: users <users-bounces at> On Behalf Of Peter Schober
Sent: Wednesday, August 01, 2018 11:23 AM
To: users at
Subject: Re: Access Denied

* Tabitha O. Locklear <tabithao.locklear at<mailto:tabithao.locklear at>> [2018-08-01 17:18]:

> I had so much time into building the V3 and I had all but two SP's

> working, I felt that it would be a simple fix ; but not understanding

> the syntax has made if far too difficult.

I have tried to provide an answer to your original problem report.

If you don't understand something or need more detailed explanations you could ask (even if the reply might be a pointer to existing documentation).



For Consortium Member technical support, see

To unsubscribe from this list send an email to users-unsubscribe at<mailto:users-unsubscribe at>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 35516 bytes
Desc: image003.jpg
URL: <>

More information about the users mailing list