Attribute mapping on new SP3 install

HCUK eLearning daveperryatwork at gmail.com
Wed May 15 06:53:22 EDT 2019 

Here's the on the wire stuff...

DEBUG logs from the IdP side (pre-encoding):
    <saml2:AttributeStatement>
        <saml2:Attribute FriendlyName="eduPersonScopedAffiliation"
            Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue>Staff at hull-college.ac.uk
</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute FriendlyName="mail"
            Name="urn:oid:0.9.2342.19200300.100.1.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue>Dave.Perry at hull-college.ac.uk
</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute FriendlyName="eduPersonTargetedID"
            Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue>
                <saml2:NameID

Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                    NameQualifier="
https://shibb.hull-college.ac.uk/idp/shibboleth" SPNameQualifier="
https://webservices.hull-college.ac.uk/shibboleth
">evK+lWyNCbZEhTDyOqlqrAmpJNo=</saml2:NameID>
            </saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute FriendlyName="eduPersonPrincipalName"
            Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue>70012521 at Hull-College.ac.uk
</saml2:AttributeValue>
        </saml2:Attribute>
    </saml2:AttributeStatement>

DEBUG logs from the SP side (shibd.log):
2019-05-15 10:32:04 DEBUG Shibboleth.SSO.SAML2 [1] [default]: extracting
pushed attributes...
2019-05-15 10:32:04 DEBUG Shibboleth.AttributeExtractor.XML [1] [default]:
unable to extract attributes, unknown XML object type: saml2p:Response
2019-05-15 10:32:04 DEBUG Shibboleth.AttributeExtractor.XML [1] [default]:
skipping unmapped NameID with format
(urn:oasis:names:tc:SAML:2.0:nameid-format:transient)
2019-05-15 10:32:04 DEBUG Shibboleth.AttributeExtractor.XML [1] [default]:
unable to extract attributes, unknown XML object type: saml2:AuthnStatement
2019-05-15 10:32:04 DEBUG Shibboleth.AttributeDecoder.Scoped [1] [default]:
decoding ScopedAttribute (affiliation) from SAML 2 Attribute
(urn:oid:1.3.6.1.4.1.5923.1.1.1.9) with 1 value(s)
2019-05-15 10:32:04 DEBUG Shibboleth.AttributeDecoder.String [1] [default]:
decoding SimpleAttribute (mail) from SAML 2 Attribute
(urn:oid:0.9.2342.19200300.100.1.3) with 1 value(s)
2019-05-15 10:32:04 DEBUG Shibboleth.AttributeDecoder.NameID [1] [default]:
decoding NameIDAttribute (persistent-id) from SAML 2 Attribute
(urn:oid:1.3.6.1.4.1.5923.1.1.1.10) with 1 value(s)
2019-05-15 10:32:04 DEBUG Shibboleth.AttributeDecoder.NameID [1] [default]:
decoding saml2:NameID child element of AttributeValue
2019-05-15 10:32:04 DEBUG Shibboleth.AttributeDecoder.Scoped [1] [default]:
decoding ScopedAttribute (eppn) from SAML 2 Attribute
(urn:oid:1.3.6.1.4.1.5923.1.1.1.6) with 1 value(s)
2019-05-15 10:32:04 DEBUG Shibboleth.AttributeFilter [1] [default]:
filtering 4 attribute(s) from (
https://shibb.hull-college.ac.uk/idp/shibboleth)
2019-05-15 10:32:04 DEBUG Shibboleth.AttributeFilter [1] [default]:
applying filtering rule(s) for attribute (eppn) from (
https://shibb.hull-college.ac.uk/idp/shibboleth)
2019-05-15 10:32:04 WARN Shibboleth.AttributeFilter [1] [default]: removed
value at position (0) of attribute (eppn) from (
https://shibb.hull-college.ac.uk/idp/shibboleth)
2019-05-15 10:32:04 DEBUG Shibboleth.AttributeFilter [1] [default]:
applying filtering rule(s) for attribute (persistent-id) from (
https://shibb.hull-college.ac.uk/idp/shibboleth)
2019-05-15 10:32:04 DEBUG Shibboleth.AttributeFilter [1] [default]:
applying filtering rule(s) for attribute (mail) from (
https://shibb.hull-college.ac.uk/idp/shibboleth)
2019-05-15 10:32:04 DEBUG Shibboleth.AttributeFilter [1] [default]:
applying filtering rule(s) for attribute (affiliation) from (
https://shibb.hull-college.ac.uk/idp/shibboleth)
2019-05-15 10:32:04 WARN Shibboleth.AttributeFilter [1] [default]: no
values left, removing attribute (eppn) from (
https://shibb.hull-college.ac.uk/idp/shibboleth)

>From the IdP Metadata:
<shibmd:Scope regexp="false">Hull-College.ac.uk</shibmd:Scope>



On Wed, May 15, 2019 at 11:24 AM Peter Schober <peter.schober at univie.ac.at>
wrote:

> * HCUK eLearning <daveperryatwork at gmail.com> [2019-05-15 11:37]:
> > The userPrincipalName comes from an AD attribute and includes the
> > domain/scope already. [...]
> >
> > I can't see how to define a scope as a parameter (I tried scope="@
> > hull-college.ac.uk" as an attribute of the definition, to no avail).
>
> There's no need to do any of that. If the attribute comes "scoped"
> from LDAP and you put it into a "Prescoped" attribute definition
> you're done! There's nothing else needed, otherwise the docs would be
> mentioning it.
>
> If that doesn't help you fix this: Could you just post the data
> verbatim? What's the value, how does your IDP existing config look
> like? Alternatively: How does it look on the wire (IDP or SP debug
> log)? That way we can eliminate the IDP as the source of the problem.
>
> > A post I found via google led me to attribute-policy on the SP side, so I
> > modified the scope on on ScopedRules there to be @hull-college.ac.uk,
> and
> > restarted the SP. But it still didn't work.
>
> You shouldn't need to do that, either. An IDP should only release
> attributes with scopes that its own metadata whilelists. I.e., the
> metadata the SP has about the IDP should contain all scopes the IDP
> intends to assert attributes in.
>
> So I think it comes down to the IDP asserting the wrong -- either
> factually wrong or simply not part of its published metadata, yet --
> scopes. An SP should not need to change its policies for any of this:
> Those are generic rules that help prevent impersonation by rogue IDPs
> and should always remain in place.
>
> -peter
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190515/5d0cf1be/attachment.html>

More information about the users mailing list