unable to capture eppn information from SAML2/POST at SP

Cantor, Scott cantor.2 at osu.edu
Mon Jun 11 18:29:12 EDT 2018


On 6/11/18, 6:13 PM, "users on behalf of O'Quinn, Dennis" <users-bounces at shibboleth.net on behalf of DENNIS_OQUINN at homedepot.com> wrote:

> Thanks, but, not sure how to apply that guidance.  This is what the IdP is sending me.  Are you saying I can override that
> someway and 'change' it to eduPersonPrincipalName?

I didn't say "change it to eduPersonPrincipalName", I said the oppposite.

I'm referring to the local name the SP assigns it, which is the part in the id attribute in the mapping rule, not the part in the name attribute in the rule. The fact that they're the same is adding to the confusion, as is the fact that the IdP is using a simple string for an attribute name, as is the fact that it seems to have picked an inappropriate and confusing name to use.

It's a bit of a mess from beginning to end, but you at least have control of your end to "untangle" it a bit so that at least you have garbage in -> slightly less garbage out, and can avoid triggering default settings you aren't intending to use.

Another way to say it would be that if you want to essentially start with a "clean" attribute map of non-eduPerson/etc. data, it's best to clear out the filter policy also and just start clean with both. The defaults line up so dumping one of them will cause problems if you don't dump the other.
 
> BTW, Much of the documentation I am reading out there seems to imply that the configuration is being done by 'one'
> entity with access to "both" IdP and SP configurations and logs simultaneously.

No, not really. The defaults assume practices and rigor that aren't common to enterprises, and all software tends to document how things are meant to work more than how to work around things, that's simply natural.

> That is not the case for our environment.  I take it that his is much of my problem in working through all these issues?

Your problem is rooted in a bad decision at the IdP, which creates work and confusion at the SP, to some degree, and then you happened to make a poor choice at the SP, which is the part I'm referring to changing.

-- Scott




More information about the users mailing list