Help with name ID

Mike Osterman ostermmg at
Fri Nov 16 11:45:55 EST 2018

OK - very helpful!

So I've determined that there is a valid attribute:
2018-11-15 17:01:48,179 - DEBUG
[net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:411] -
Attribute Resolver 'ShibbolethAttributeResolver': Resolving dependencies
for 'mail'
2018-11-15 17:01:48,180 - DEBUG
[net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:427] -
Attribute Resolver 'ShibbolethAttributeResolver': Finished resolving
dependencies for 'mail'
2018-11-15 17:01:48,180 - DEBUG
[net.shibboleth.idp.attribute.resolver.AbstractAttributeDefinition:247] -
Attribute Definition 'mail': produced an attribute with the following
values [StringAttributeValue{value=ostermmg at}]
2018-11-15 17:01:48,181 - DEBUG
[net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:308] -
Attribute Resolver 'ShibbolethAttributeResolver': Attribute definition
'mail' produced an attribute with 1 values

It turned out to be a problem with the Requester URL in the Attribute
Filter policy:

2018-11-15 17:01:51,439 - DEBUG
[net.shibboleth.idp.attribute.filter.AttributeFilterPolicy:128] - Attribute
Filter Policy 'foo'  Checking if attribute filter policy is active
2018-11-15 17:01:51,440 - DEBUG
- Attribute Filter
Found attribute requester: [REDACTED]
2018-11-15 17:01:51,440 - DEBUG
[net.shibboleth.idp.attribute.filter.AttributeFilterPolicy:137] - Attribute
Filter Policy 'foo'  Policy is not active for this request

I compared that with the URL that I got, and found the root cause: wrong
URL for the filter. We had received two URLs, and I picked the one I
thought matched up with the requester. Obviously, got that wrong. :/

Thanks for the DEBUG guidance. It's working now!


On Thu, Nov 15, 2018 at 4:33 PM Cantor, Scott <cantor.2 at> wrote:

> > Thanks, Scott. Which variable [1] do you recommend I set to debug to get
> at
> > this info? It's not clear (to me, at least) which one of these is going
> to provide
> > the debugging info you're thinking of.
> General IdP logging categories on DEBUG log attribute resolution
> thoroughly.
> -- Scott
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list