Unable to include attributes in IdP Assertion

Peter Schober peter.schober at univie.ac.at
Thu Feb 8 17:14:57 EST 2018

* Zacharyzachary Pearson <zpearson at hawk.iit.edu> [2018-02-02 16:39]:
> I’ve created attributes in Attribute-resolver.xml and a filter in
> attribute-filter.xml but the attribute does not get returned. Below
> are the attributes and the filter that I made

The resolver looks OK from a quick look, but your filter doesn't:

> <AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
>         xmlns="urn:mace:shibboleth:2.0:afp"
>         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>         xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
>         <AttributeRule attributeID="uid">
>                 <PermitValueRule xsi:type="ANY" />
>         </AttributeRule>
> </AttributeFilterPolicyGroup>

The child elements of the root element "AttributeFilterPolicyGroup"
need to be AttributeFilterPolicy elements, and only those in turn then
have PolicyRequirementRule and AttributeRule child elements.
That's explained in the documentation at
whre you'll also find illustrative examples, see "Simple
Attribute-Filter.xml file (V3.2.0 and later)".

> The log shows that it reads it properly and follows the dependencies
> but does not return anything.

You can always set the logging to DEBUG for some specific classes, in
this case "net.shibboleth.idp.attribute.resolver".
Also check for any WARN or ERROR messages in the log, in case the
invalid filter tripped up the software.


More information about the users mailing list