Need help with skipping unmapped SAML 2.0 Attribute

Dennis Fazekas Dennis_Fazekas at SHI.com
Fri Mar 2 10:43:48 EST 2018 

Greetings, 

Thank you in advanced for any help! To start off I would like to say my level of experience is enough to get me by in most cases... We have been using Shibboleth SP for a few years with little to no issues. 

We have a customer whom we cannot get working with the Shibboleth software. They are using WSO2 as their IdP. In my logs it says, "skipping unmapped SAML 2.0 Attribute". At this point I had them reconfigure their software to use the default attributes used by their software and I am trying to get them working by adding them into my attribute-map.xml file. Still not working. This is probably something simple stupid I am doing wrong but I don't know enough to get it working. 

Also are these two attributes statements handled the same in Shibboleth?   saml2:AttributeStatement vs saml:AttributeStatement? 

This is what their AuthnStatement looks like:

<saml2:AttributeStatement>
    <saml2:Attribute Name="http://wso2.org/claims/userid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml2:AttributeValue 
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">JohnDoe 
        </saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="http://wso2.org/claims/catalog" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml2:AttributeValue 
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ApproverOver100USD 
        </saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="http://wso2.org/claims/displayName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml2:AttributeValue 
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">John Doe 
        </saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="http://wso2.org/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml2:AttributeValue 
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">John.Doe at exmaple.xyxyx 
        </saml2:AttributeValue>
    </saml2:Attribute>
</saml2:AttributeStatement>

I see the following errors in the shibboleth logs:
INFO Shibboleth.AttributeExtractor.XML [7]: skipping unmapped SAML 2.0 Attribute with Name: http://wso2.org/claims/userid, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic 
INFO Shibboleth.AttributeExtractor.XML [7]: skipping unmapped SAML 2.0 Attribute with Name: http://wso2.org/claims/catalog, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic 
INFO Shibboleth.AttributeExtractor.XML [7]: skipping unmapped SAML 2.0 Attribute with Name: http://wso2.org/claims/displayName, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic 
INFO Shibboleth.AttributeExtractor.XML [7]: skipping unmapped SAML 2.0 Attribute with Name: http://wso2.org/claims/emailaddress, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic 
I tried the following attribute mappings in the attribute-map.xml... 

attribute-map.xml Settings Attempt #1
<Attribute name="http://wso2.org/claims/displayName" id="displayName"/>
<Attribute name="http://wso2.org/claims/emailaddress" id="mail"/>  
<Attribute name="http://wso2.org/claims/catalog" id="catalog"/>
<Attribute name="http://wso2.org/claims/userid" id="userid"/>

attribute-map.xml Settings Attempt #2
<Attribute name="http://wso2.org/claims/userid" id="userid">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="http://wso2.org/claims/catalog" id="catalog">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="http://wso2.org/claims/displayName" id="displayName">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="http://wso2.org/claims/emailaddress" id="mail">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>

attribute-map.xml Settings Attempt #3
<Attribute name="http://wso2.org/claims/userid" id="userid">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false" />
</Attribute>
<Attribute name="http://wso2.org/claims/catalog" id="catalog">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false" />
</Attribute>
<Attribute name="http://wso2.org/claims/displayName" id="displayName">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false" />
</Attribute>
<Attribute name="http://wso2.org/claims/emailaddress" id="mail">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false" />
</Attribute>

Again, thanks for any help! :)

More information about the users mailing list