troubleshooting attribute release for idp 3.3.3

Takeshi NISHIMURA takeshi at
Tue Aug 28 05:19:34 EDT 2018

Thanks Peter. You are correct.
> The format of the output is controlled by the presence or absence of the "saml1" and "saml2" options. With neither present, the output is derived directly from the internal attributes produced by the resolver, and are rendered using a simple JSON notation that is neutral in form and doesn't follow any particular standard. Otherwise, the appropriate encoding into SAML is done, and this includes the production of a <NameID> or <NameIdentifier>, based on the overall configuration of the system.

Best regards,

On 2018/08/28 17:45, Peter Schober wrote:
> * Takeshi NISHIMURA <takeshi at> [2018-08-28 10:32]:
>> On 2018/08/26 6:20, Peter Schober wrote:
>>> * Scott Koranda <skoranda at> [2018-08-25 11:47]:
>>>>> * Pablo Vidaurri <psvidaurri at> [2018-08-25 02:37]:
>>>>>> How can I troubleshoot attribute resolution and filtering?
>>>> There is a command line tool.
>>> The aacli is great. It just doesn't tell you /why/ something doesn't
>>> leave the IDP, only /that/. Which the OP already seems to know.
>> Is there a similar method for saml2:NameID?
> Not sure what you'll mean but I always add "--saml2" to my aacli
> invocations and that shows the whole Assertion, including any NameIDs
> that would be going into the Assertion's subject.
> -peter

More information about the users mailing list