Attribute mapping on new SP3 install

HCUK eLearning daveperryatwork at gmail.com
Tue May 14 12:09:03 EDT 2019 

Rod - I rendered out $_SERVER in PHP (which does HTTP headers and server
variables).

Nate - I've cranked it up and it's not giving any clues as to why it's
binned. But it's definitely there in the SAML response from the IdP. IdP
definition of eppn is scoped..
    <resolver:AttributeDefinition id="eduPersonPrincipalName"
xsi:type="ad:Prescoped" sourceAttributeID="userPrincipalName">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString"
name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false"
/>
        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
friendlyName="eduPersonPrincipalName" encodeType="false" />
    </resolver:AttributeDefinition>

SP's mapping is as follows:

<!-- The most typical eduPerson attributes. -->

    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
        <AttributeDecoder xsi:type="ScopedAttributeDecoder"
caseSensitive="false"/>
    </Attribute>
    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName"
id="eppn">
        <AttributeDecoder xsi:type="ScopedAttributeDecoder"
caseSensitive="false"/>
    </Attribute>

And it's saying it applies a filter in shibd.log:
2019-05-14 17:02:15 DEBUG Shibboleth.AttributeDecoder.Scoped [1] [default]:
decoding ScopedAttribute (eppn) from SAML 2 Attribute
(urn:oid:1.3.6.1.4.1.5923.1.1.1.6) with 1 value(s)
2019-05-14 17:02:15 DEBUG Shibboleth.AttributeFilter [1] [default]:
filtering 4 attribute(s) from (
https://shibb.hull-college.ac.uk/idp/shibboleth)
2019-05-14 17:02:15 DEBUG Shibboleth.AttributeFilter [1] [default]:
applying filtering rule(s) for attribute (eppn) from (
https://shibb.hull-college.ac.uk/idp/shibboleth)
2019-05-14 17:02:15 WARN Shibboleth.AttributeFilter [1] [default]: removed
value at position (0) of attribute (eppn) from (
https://shibb.hull-college.ac.uk/idp/shibboleth)
I can't see where you set the filter on the SP side?


Thanks,
Dave

On Tue, May 14, 2019 at 5:02 PM Rod Widdowson <rdw at steadingsoftware.com>
wrote:

> > a new SP3
> > ...
> > I render out the HTTP headers
> > ...
> > Any ideas?
>
> By default out of the box install set server variable not headers
>
> /R
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190514/d6f1d69a/attachment.html>

More information about the users mailing list