Trouble with SP (BambooHR) - have taken debugging as far as I can

Mike Osterman ostermmg at
Fri Jul 26 17:37:18 EDT 2019

Thanks, Peter. I've done some more digging and changed some things, but
still stuck. (see below)

On Fri, Jul 26, 2019 at 3:19 AM Peter Schober <peter.schober at>

> * Mike Osterman <ostermmg at> [2019-07-26 06:45]:
> > After some digging around, I found the documentation to do a Regex match
> in
> > the Requester URL:
> >
> >
> > And came up with this:
> >     <AttributeFilterPolicy id="BambooHR-SAML">
> >         <PolicyRequirementRule xsi:type="RequesterRegex" regex="^
> >*$" />
> Regexes shouldn't be necessary. I'm guessing your tenant SP is only
> that: One (1) SP with one (1) unchanging entityID. Just providing the
> correct entityID there (cf. the metadata you added for that SP) should
> suffice?
> But either way it still doesn't match:

You're right - I dug into the metadata file in $IDP_HOME/metadata/ and it
advertises a URL without a wildcard:
                <md:SPSSODescriptor AuthnRequestsSigned="false"





So I've updated my attribute filter policy, and removed the entityID from
the policy id attribute, just to make the logs easier to read:

    <AttributeFilterPolicy id="bamboohr">
        <PolicyRequirementRule xsi:type="Requester" value="" />
        <AttributeRule attributeID="mail">
            <PermitValueRule xsi:type="ANY" />

> causing the
> > net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator
> > messages in lines 32-33 here:

> Line 11 already states that the policy didn't apply, hence no
> attributes and no attribute-sourced NameID:
> > Attribute Filter Policy 'BambooHR-SAML'  Policy is not active for this
> request

And yet still, same result - see line 5:

The only thing I didn't explicitly state is it only supports NameID (yeah,
I know it sucks), but my understanding is I still need to release the
'mail' attribute so it can be released through NameID format.

They also support Google Sign-In, but I *really* don't want to go that
route, nor do I think our ISO wants to.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list