Need help with skipping unmapped SAML 2.0 Attribute
Peter Schober
peter.schober at univie.ac.at
Fri Mar 2 10:57:46 EST 2018
* Dennis Fazekas <Dennis_Fazekas at SHI.com> [2018-03-02 16:44]:
> This is what their AuthnStatement looks like: [...]
> <saml2:Attribute Name="http://wso2.org/claims/userid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> <saml2:AttributeValue
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">JohnDoe
> </saml2:AttributeValue>
> </saml2:Attribute>
Note that they're actually using URI-format names, but sending a
nameformat of "basic" (i.e. they're saying they're sending attribute
names like "givenName", but they're not).
If they fixed the latter (there's no shaming in sending fully
qualified URIs as names, in fact it's Shibboleth's default and highly
recommended) your first attempt would just have worked...
> attribute-map.xml Settings Attempt #1
> <Attribute name="http://wso2.org/claims/displayName" id="displayName"/>
But they're not, so it doesn't.
> attribute-map.xml Settings Attempt #2
> <Attribute name="http://wso2.org/claims/userid" id="userid">
> <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
> </Attribute>
Guessing won't get you further. The attribute is not scoped, so adding
an incorrect decoder will not fix this.
> attribute-map.xml Settings Attempt #3
> <Attribute name="http://wso2.org/claims/userid" id="userid">
> <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false" />
> </Attribute>
Ditto.
Here's what will work:
<Attribute name="http://wso2.org/claims/userid"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
id="userid" />
You've probably found the docs but not what you're looking for:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeExtractor
-peter
More information about the users
mailing list