shibboleth SP generating two values for attributes from azure

Sean Flannery sean.flannery at
Mon Nov 5 14:34:27 EST 2018


We have shibboleth SP that we have recently pointed to azure-as-idp and its working fine for authentication but, for every claim coming back from Azure, say "email", Shibboleth SP (3.0.1) seems to be double-setting the value, ex:

"email: sean at; sean at"

When I trace the logs however, the IDP (azure) is only sending a single value:

<Attribute Name="">

  <AttributeValue>sean at</AttributeValue>


Additionally, when I look in the shib looks it seems to know its only one value when it decodes it:

2018-11-05 19:14:33|Shibboleth-TRANSACTION|Cached the following attributes with session (ID: _b3f8ea8e8f86df25b6af513ebc2f142d) for (applicationId: default) {
2018-11-05 19:14:33|Shibboleth-TRANSACTION| email (1 values)

And, for some attributes that need to be reformatted, we use the Template attribute resolver plugin and, for those attributes- it's only a single value, ex:

this:   <AttributeResolver type="Template" sources="email" dest="primary-mail">
gives the single attribute value: sean at

So it's only the 'unchanged' attributes that come directly from Azure that seem to have duplicate values

I have not seen this before. Any suggestions? Perhaps I'm making a simple error in the attribute resolver config, but everything looks correct and comparable to past deploys (though, again, this is the first time with azure).

Thanks for your time.


This transmission is intended solely for the person or organization to whom it is addressed and it may contain privileged and confidential information. If you are not the intended recipient you should not copy, distribute or take any action in reliance on it. If you believe you received this transmission in error please notify the sender.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list