shibboleth SP generating two values for attributes from azure

Sean Flannery sean.flannery at jwt.com
Mon Nov 5 14:34:27 EST 2018 

Hello,

We have shibboleth SP that we have recently pointed to azure-as-idp and its working fine for authentication but, for every claim coming back from Azure, say "email", Shibboleth SP (3.0.1) seems to be double-setting the value, ex:


"email: sean at domain.com; sean at domain.com"

When I trace the logs however, the IDP (azure) is only sending a single value:

<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">

  <AttributeValue>sean at domain.com</AttributeValue>

</Attribute>

Additionally, when I look in the shib looks it seems to know its only one value when it decodes it:


2018-11-05 19:14:33|Shibboleth-TRANSACTION|Cached the following attributes with session (ID: _b3f8ea8e8f86df25b6af513ebc2f142d) for (applicationId: default) {
2018-11-05 19:14:33|Shibboleth-TRANSACTION| email (1 values)

And, for some attributes that need to be reformatted, we use the Template attribute resolver plugin and, for those attributes- it's only a single value, ex:

this:   <AttributeResolver type="Template" sources="email" dest="primary-mail">
gives the single attribute value: sean at domain.com


So it's only the 'unchanged' attributes that come directly from Azure that seem to have duplicate values


I have not seen this before. Any suggestions? Perhaps I'm making a simple error in the attribute resolver config, but everything looks correct and comparable to past deploys (though, again, this is the first time with azure).

Thanks for your time.

Sean


This transmission is intended solely for the person or organization to whom it is addressed and it may contain privileged and confidential information. If you are not the intended recipient you should not copy, distribute or take any action in reliance on it. If you believe you received this transmission in error please notify the sender.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20181105/9281e7c0/attachment.html>

More information about the users mailing list