Set Assertion ENV var when attribute is empty

Tom Noonan tom at joinroot.com
Thu Mar 14 12:38:13 EDT 2019


Good afternoon:

I'm setting up some custom attribute through SPv3 and running into some
headaches with empty values.  Our IdP defaults to empty if an attribute
hasn't been set on a user's profile:

 <saml2:Attribute Name="role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"/>
</saml2:Attribute>

I currently have the attribute mapped like so:

<Attribute name="role" id="role">
  <AttributeDecoder xsi:type="StringAttributeDecoder"
caseSensitive="false"/>
</Attribute>

The issue I'm seeing is that when the value is blank from the IdP the SP
omits the attribute.  If I go to Shibboleth.sso/Session in my browser the
assertion isn't listed under attributes.  I'd prefer to have it set with
the empty string rather than be omitted, reason being that right now I
can't tell if the attribute is omitted because it's blank in the user's
profile or if it's omitted because of a configuration error.  Is it
possible to set the attribute to the empty string if the attribute value in
the assertion is empty?

--Tom Noonan II
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190314/8c4674d0/attachment.html>


More information about the users mailing list