Need help with skipping unmapped SAML 2.0 Attribute

Dennis Fazekas Dennis_Fazekas at SHI.com
Fri Mar 2 11:58:44 EST 2018 

Thank you! That worked!

I did overlook the part about the nameFormat in the documentation. Darn it! :)

nameFormat(string)
    Optional SAML @AttributeNamespace/@NameFormat of extraction source (defaults to Shibboleth "standard" URI format constants specific to each SAML version).



* Dennis Fazekas <Dennis_Fazekas at SHI.com> [2018-03-02 16:44]:
> This is what their AuthnStatement looks like: [...]
>     <saml2:Attribute Name="http://wso2.org/claims/userid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
>         <saml2:AttributeValue 
>             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">JohnDoe 
>         </saml2:AttributeValue>
>     </saml2:Attribute>

Note that they're actually using URI-format names, but sending a nameformat of "basic" (i.e. they're saying they're sending attribute names like "givenName", but they're not).

If they fixed the latter (there's no shaming in sending fully qualified URIs as names, in fact it's Shibboleth's default and highly
recommended) your first attempt would just have worked...

> attribute-map.xml Settings Attempt #1
> <Attribute name="http://wso2.org/claims/displayName" 
> id="displayName"/>

But they're not, so it doesn't.

> attribute-map.xml Settings Attempt #2
> <Attribute name="http://wso2.org/claims/userid" id="userid"> 
> <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
> </Attribute>

Guessing won't get you further. The attribute is not scoped, so adding an incorrect decoder will not fix this.

> attribute-map.xml Settings Attempt #3
> <Attribute name="http://wso2.org/claims/userid" id="userid"> 
> <AttributeDecoder xsi:type="StringAttributeDecoder" 
> caseSensitive="false" /> </Attribute>

Ditto.

Here's what will work: 

<Attribute name="http://wso2.org/claims/userid"
  nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
  id="userid" />

You've probably found the docs but not what you're looking for:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeExtractor

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list