Access Denied

Tabitha O. Locklear tabithao.locklear at uncp.edu
Fri Jul 27 09:35:00 EDT 2018 

I'm in the process of moving from V2 Shibboleth to V3. I am working through changes in my configuration files.
One of my SP is giving an Access is denied message.
The old syntax is using 2 of the deprecated values SAML1StringNameIdentifier and SAML2StringNameID.
I have placed what I thought might would work in the saml-nameid.xml file but I'm still receiving the access is denied error message.
The logs from the SP
Unable to populate standard claim loginId from mapped claim name ....
Below are my conf files from both V3 and V2.


Attribute-Resolver.xml
V3

<resolver:AttributeDefinition id="Login" xsi:type="ad:Simple"
         sourceAttributeID="sAMAccountName">
        <resolver:Dependency ref="myLDAP" />


Saml-nameid.xml

<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:transient"
            p:attributeSourceIds="#{ {'Login'} }" >
      </bean>

Saml-nameid.properties

# Default NameID Formats to use when nothing else is called for.
# Don't change these just to change the Format used for a single SP!
idp.nameid.saml2.default = urn:oasis:names:tc:SAML:2.0:nameid-format:transient
idp.nameid.saml1.default = urn:mace:shibboleth:1.0:nameIdentifier

V2

<resolver:AttributeDefinition id="Login" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
        sourceAttributeID="sAMAccountName">
        <resolver:Dependency ref="myLDAP" />

        <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:transient" />

        <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />

    </resolver:AttributeDefinition>



Attribute-Filter.xml

<AttributeFilterPolicy id="releaseLoginToSAASIT">
        <PolicyRequirementRule xsi:type="Requester" value="https://uncp.saasit.com/" />

        <AttributeRule attributeID="Login">
        <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        </AttributeFilterPolicy>



Relying-Party.xml
V3
<bean parent="RelyingPartyByName" c:relyingPartyIds="https://uncp.saasit.com/">
        <property name="profileConfigurations">
            <list>
            <!-- Your refs or beans here. -->
                <bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1:1:nameid-format:unspecified" p:encryptAssertions="false" p:encryptNameIDs="false" p:signAssertions="true" p:signResponses="false"/>
             </list>
        </property>
    </bean>

V2
<rp:RelyingParty id="https://uncp.saasit.com/"
       provider="https://idp.uncp.edu/idp/shibboleth"
       defaultSigningCredentialRef="IdPCredential">
       <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile" assertionProxyCount="0" signResponses="never" signAssertions="always" encryptAssertions="conditional" encryptNameIds="never" />
        </rp:RelyingParty>





Tabitha O. Locklear
MS Information Technology
Operations & Systems Analyst
Division of Information Technology
University of North Carolina at Pembroke
tabithao.locklear at uncp.edu
Office : 910-775-4039
Fax : 910-521-6649

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180727/4ac71513/attachment.html>

More information about the users mailing list