mapped eduPersonScopedAffiliation attribute

Ryan Suarez ryan.suarez at sheridancollege.ca
Thu Sep 6 13:45:20 EDT 2018



    <resolver:AttributeDefinition xsi:type="ad:Mapped" id="eduPersonScopedAffiliation" sourceAttributeID="myAttribute">
        <resolver:Dependency ref="ldap" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
        <ad:ValueMap>
           <ad:ReturnValue>student at mydomain.ca<mailto:student at mydomain.ca></ad:ReturnValue>
           <ad:SourceValue>students</ad:SourceValue>
        </ad:ValueMap>
    </resolver:AttributeDefinition>

I can see the mapped attribute when testing from the IdP with this command "aacli.sh --configDir /opt/shibboleth-idp/conf --principal=someUser --requester https://sp.somedomain.ca". However, I cannot see the mapped attribute in the SAML assertion to the SP when inspecting with the SAML tracer tool for firefox.

Why is the mapped attribute not part of the assertion if it shows up with aacli?

I turned on debug logging and this is the error:

[net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:187] - Profile Action AddAttributeStatementToAssertion: Encoding attribute eduPersonScopedAffiliation as a SAML 2 Attribute
[net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder:154] - Beginning to encode attribute eduPersonScopedAffiliation
[net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder:173] - Skipping value of attribute eduPersonScopedAffiliation; Type net.shibboleth.idp.attribute.StringAttributeValue cannot be encoded by this encoder.
[net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder:173] - Skipping value of attribute eduPersonScopedAffiliation; Type net.shibboleth.idp.attribute.StringAttributeValue cannot be encoded by this encoder.
[net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:193] - Profile Action AddAttributeStatementToAssertion: Unable to encode attribute eduPersonScopedAffiliation as SAML 2 attribute
net.shibboleth.idp.attribute.AttributeEncodingException: Attribute eduPersonScopedAffiliation did not contain any encodeable values
        at net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder.encode(AbstractSAMLAttributeEncoder.java:188)
[net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:203] - Profile Action AddAttributeStatementToAssertion: Attribute eduPersonScopedAffiliation did not have a usable SAML 2 Attribute encoder associated with it, nothing to do

Any insight would be appreciated.

thanks,
Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180906/9b16daac/attachment.html>


More information about the users mailing list