Access Denied

Wed Aug 8 14:37:11 EDT 2018

Scott when I look at the logs for our old V2 (production instance) it looks as though it's looking for a transient Id to encode.

14:17:28.594 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:548] - Filtering out potential name identifier attributes which do not support one of the following formats: [urn:oasis:names:tc:SAML:2.0:nameid-format:transient]
14:17:28.594 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:567] - Retaining attribute Login which may be encoded as a name identifier of format urn:oasis:names:tc:SAML:2.0:nameid-format:transient
14:17:28.594 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:567] - Retaining attribute transientId which may be encoded as a name identifier of format urn:oasis:names:tc:SAML:2.0:nameid-format:transient
14:17:28.594 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:672] - Selecting attribute to be encoded as a name identifier by encoder of type edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder
14:17:28.594 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:699] - Selecting the first attribute that can be encoded in to a name identifier
14:17:28.595 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:483] - Name identifier for relying party 'https://uncp-stg.saasit.com/' will be built from attribute 'Login'
14:17:28.595 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:864] - Using attribute 'Login' supporting NameID format 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' to create the NameID for relying party 'https://uncp-stg.saasit.com/'

-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Wednesday, August 08, 2018 1:58 PM
To: Shib Users <users at shibboleth.net>
Subject: RE: Access Denied

> 2018-08-08 17:29:18,100 - DEBUG
> [net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStra
> tegy:10 0] - Configuration specifies the following formats: []

So you are not choosing a Format in relying-party.xml, which is fine, that's not the recommended way to do it unless you have to because you're trying to forcibly use the "unspecified" Format constant.

> 2018-08-08 17:29:18,101 - DEBUG
> [net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStra
> tegy:11 3] - Configuration did not specify any formats, relying on 
> metadata alone

And you have the metadata, so you know whether it is specifying any Format(s). And if not, and you have to rely on a NameID, then you would have to change that.

If the answer to both methods of Format selection is that they're not being used, then it's going to choose the default Format, which is transient. Which I would imagine is what it's doing?

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net