troubleshooting attribute release for idp 3.3.3
Takeshi NISHIMURA
takeshi at nii.ac.jp
Tue Aug 28 05:19:34 EDT 2018
Thanks Peter. You are correct.
https://wiki.shibboleth.net/confluence/display/IDP30/AACLI
> The format of the output is controlled by the presence or absence of the "saml1" and "saml2" options. With neither present, the output is derived directly from the internal attributes produced by the resolver, and are rendered using a simple JSON notation that is neutral in form and doesn't follow any particular standard. Otherwise, the appropriate encoding into SAML is done, and this includes the production of a <NameID> or <NameIdentifier>, based on the overall configuration of the system.
Best regards,
Takeshi
On 2018/08/28 17:45, Peter Schober wrote:
> * Takeshi NISHIMURA <takeshi at nii.ac.jp> [2018-08-28 10:32]:
>> On 2018/08/26 6:20, Peter Schober wrote:
>>> * Scott Koranda <skoranda at gmail.com> [2018-08-25 11:47]:
>>>>> * Pablo Vidaurri <psvidaurri at gmail.com> [2018-08-25 02:37]:
>>>>>> How can I troubleshoot attribute resolution and filtering?
>>>>
>>>> There is a command line tool.
>>>
>>> The aacli is great. It just doesn't tell you /why/ something doesn't
>>> leave the IDP, only /that/. Which the OP already seems to know.
>>
>> Is there a similar method for saml2:NameID?
>
> Not sure what you'll mean but I always add "--saml2" to my aacli
> invocations and that shows the whole Assertion, including any NameIDs
> that would be going into the Assertion's subject.
>
> -peter
More information about the users
mailing list