Shib 2 release attribute to SP with a different name

Christopher Bongaarts cab at umn.edu
Thu Feb 28 13:55:05 EST 2019


Then you should be all set, as SAMLtest shows that you're sending what 
you intended, it's just not built to show the nonstandard attributes.

On 2/28/2019 12:38 PM, Emily Heiner wrote:
> I don't want the formal attribute name though, I want it to be named Email when it comes across. I'm guessing what you found will pass it as Email instead of the formal "mail" attribute name as specified by the OID. All of this stems from Adobe's SP that we're trying to integrate with, which requires the email address to be sent as "Email" rather than "mail".
>
> -----Original Message-----
> From: users <users-bounces at shibboleth.net> On Behalf Of Nate Klingenstein
> Sent: Thursday, February 28, 2019 10:30 AM
> To: Shib Users <users at shibboleth.net>; users at shibboleth.net
> Subject: RE: Shib 2 release attribute to SP with a different name
>
> Emily & Chris,
>
> SAMLtest.id's SP is running Shibboleth 3.0.latest and it has the mapping for mail enabled.  I went snooping through the logs and I found:
>
> <saml2:Attribute FriendlyName="Email" Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">eheiner at redacted.edu</saml2:AttributeValue></saml2:Attribute>
>
> In this case, it looks like you're sending the formal name as Email rather than as the formal URN name as defined by the specification, and that is not mapped.  That will be due to some configuration in your IdP.  Once you send it with the name urn:oid:0.9.2342.19200300.100.1.3, it should map properly and be displayed on the results page.  You can see all of this if you click on the button to display IdP logs.
>
> Best wishes and thank you for your patronage of SAMLtest, Nate.
>   
> -----Original message-----
>> From: Christopher Bongaarts
>> Sent: Thursday, February 28 2019, 10:25 am
>> To: users at shibboleth.net
>> Subject: Re: Shib 2 release attribute to SP with a different name
>>
>>
>>
>> On 2/28/2019 11:14 AM, Emily Heiner
>>        wrote:
>>
>> Hi, I’m using Shibboleth 2 and am trying to
>>          release an attribute to an SP (SAMLTest in this instance) and it
>>          keeps passing my email address as “mail” to them, when I want
>>          the attribute to be called Email when it is passed to them. I’ve
>>          googled and am frankly stumped.
>>
>> My attribute-resolver.xml has:
>>
>>                                        <resolver:AttributeEncoder
>>        xsi:type="enc:SAML2String"
>>        name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="Email"
>>        />
>>
>> It is likely that the SP side is using the Name rather than the
>>        friendlyName (which is the Right Thing to do), and may be mapping
>>        the OID style identifier to mail (on a Shib SP, that would be in
>>        attribute-map.xml).  Setting the name="Email" would likely fix
>>        that.
>>
>> I'm guessing this is not a Shib SP, as in that case the SP should
>>        just change their attribute-map.xml instead of having the IdP do
>>        it...
>>
>> -- 
>> %%  Christopher A. Bongaarts   %%  cab at umn.edu <mailto:cab at umn.edu>          %%
>> %%  OIT - Identity Management  %%  http://umn.edu/~cab <http://umn.edu/~cab>  %%
>> %%  University of Minnesota    %%  +1 (612) 625-1809    %%
>>
>> --
>>
>> For Consortium Member technical support, see
>> https://wiki.shibboleth.net/confluence/x/coFAAg
>>
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
>>
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

-- 
%%  Christopher A. Bongaarts   %%  cab at umn.edu          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%



More information about the users mailing list