Trouble with SP (BambooHR) - have taken debugging as far as I can
Mike Osterman
ostermmg at whitman.edu
Fri Jul 26 00:44:38 EDT 2019
Hello,
I'm trying to get a 3rd-party SAML provider going (BambooHR), and after
debugging, it seems as if the URL I'm getting from the vendor is not
correct, or I have a misconfiguration in my AttributeFilterPolicy, as the
filter is not returning the mail attribute. They provide this:
https://<tenant>.bamboohr.com/saml/consume.php*
After some digging around, I found the documentation to do a Regex match in
the Requester URL:
https://wiki.shibboleth.net/confluence/display/IDP30/RequesterRegexConfiguration
And came up with this:
<AttributeFilterPolicy id="BambooHR-SAML">
<PolicyRequirementRule xsi:type="RequesterRegex" regex="^
https://whitmansandbox.bamboohr.com/.*$" />
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
I've got DEBUG on for net.shibboleth.idp, and from what I can tell,
the BambooHR-SAML policy is being evaluated, but it's not getting back the
"mail" attribute (or any other attributes, for that matter), which is
causing the
net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator
messages in lines 32-33 here:
https://gist.github.com/ostertoaster/3d322c8d2c9a48d9f8c3bb34cd7e12d0
I'm sure there's a simple explanation, but I've gotten as far as I can in
debugging this issue.
Thanks for any pointers!
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190725/d5fc7a3e/attachment.html>
More information about the users
mailing list