Shib 2 release attribute to SP with a different name

Emily Heiner eheiner at whatcom.edu
Thu Feb 28 12:34:21 EST 2019 

I’m looking at the SAMLTest SP log and it’s getting the attribute passed, but not displaying in the results as an attribute that was successfully passed:
<saml2:Attribute FriendlyName="Email" Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">eheiner at whatcom.edu</saml2:AttributeValue></saml2:Attribute>

Do I need to change the NameFormat as well?

Emily Heiner
Software Developer/DBA
Whatcom Community College
Email:   eheiner at whatcom.edu<mailto:eheiner at whatcom.ctc.edu>
Office:  360-383-3425

“There are known knowns; there are things we know that we know. There are known unknowns; that is to say, there are things that we now know we don't know. But there are also unknown unknowns -- there are things we do not know we don’t know.”
-- United States Secretary of Defense, Donald Rumsfeld

“I just the other day got… an Internet sent by my staff at 10 o'clock in the morning on Friday. I got it yesterday. Why? Because it got tangled up with all these things going on the Internet commercially [...] And again, the Internet is not something that you just dump something on. It's not a big truck. It's a series of tubes.”
-- United States Senator, Ted Stevens

From: users <users-bounces at shibboleth.net> On Behalf Of Christopher Bongaarts
Sent: Thursday, February 28, 2019 9:25 AM
To: users at shibboleth.net
Subject: Re: Shib 2 release attribute to SP with a different name

On 2/28/2019 11:14 AM, Emily Heiner wrote:
Hi, I’m using Shibboleth 2 and am trying to release an attribute to an SP (SAMLTest in this instance) and it keeps passing my email address as “mail” to them, when I want the attribute to be called Email when it is passed to them. I’ve googled and am frankly stumped.

My attribute-resolver.xml has:
                                <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="Email" />

It is likely that the SP side is using the Name rather than the friendlyName (which is the Right Thing to do), and may be mapping the OID style identifier to mail (on a Shib SP, that would be in attribute-map.xml).  Setting the name="Email" would likely fix that.

I'm guessing this is not a Shib SP, as in that case the SP should just change their attribute-map.xml instead of having the IdP do it...



--

%%  Christopher A. Bongaarts   %%  cab at umn.edu<mailto:cab at umn.edu>          %%

%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%

%%  University of Minnesota    %%  +1 (612) 625-1809    %%
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190228/17a00f78/attachment.html>

More information about the users mailing list