IDP proxy - attribute

Jerry Bailie jebailie at vassar.edu
Wed Aug 12 12:04:39 UTC 2020 

#'s 3 and 4, I think we're good to go.

1 and 2, not so much...

I see this in the idp-process.log:

2020-08-12 07:53:45,847 - x.x.x.x - INFO
[net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication:443]
- Profile Action ValidateSAMLAuthentication: No transcoding rule for
Attribute 'eduPersonScopedAffiliation'


So we know that it is being 'exported' out of the proxy.  This is true
because I can turn it 'off' on the proxy end and this message does not
present itself in the log.

This is what we have in  attribute-filter.xml :

       <AttributeFilterPolicy id="proxy">
           <PolicyRequirementRule xsi:type="Issuer" value="
https://vassar.onelogin.com" />
           <AttributeRule attributeID="eduPersonScopedAffiliation">
               <PermitValueRule xsi:type="ANY" />
           </AttributeRule>
        </AttributeFilterPolicy>

1) What should the "value" of the issuer be?  When the xsi:type is
"Requester", it is www.example.com/sp or some such related to the SP.
2) It's not clear how to 'map' the incoming attribute to a Transcoding rule.

- Jerry

On Tue, Aug 11, 2020 at 3:34 PM Cantor, Scott <cantor.2 at osu.edu> wrote:

> On 8/11/20, 3:12 PM, "users on behalf of Jerry Bailie" <
> users-bounces at shibboleth.net on behalf of jebailie at vassar.edu> wrote:
>
> >    The question is, is how to obtain that attribute
> (eduPersonScopedAffiliation) from Onelogin ?
>
> https://wiki.shibboleth.net/confluence/display/IDP4/SAMLAuthnConfiguration
>
> Attribute Extraction and Filtering
> Attribute Resolution
>
> i.e.
>
> 1. Make sure the Attribute Registry transcoding rules map the necessary
> SAML Attribute(s) into their internal IDs.
> 2. Add filter rules as required to accept those attribute IDs from the
> "issuer".
> 3. Add a Subject data connector to export the attribute(s) back out of the
> resolver.
> 4. Add filter rules as required to release the attribute IDs to the SP.
>
> That's generally all it takes unless the use case is more complex.
>
> (3) automates all the complex parts that are happening under the covers.
>
> -- Scott
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200812/e34aa464/attachment.htm>

More information about the users mailing list