shibboleth Idp attributes with vendor SP using Samly

Jehan PROCACCIA jehan.procaccia at
Thu Jul 9 17:18:47 UTC 2020

I am trying to connect to an SP using the Samly library ( [ | ] ) 
SSO SAML exchanges do seem to works fine , but although my shibboleth IDP (v3.3.1, trying also 4.0.1 ... ) does send attributes (mail required) to that SP , the SP doesn't seem to read/consume them . 
attribute consentment page does show in my web browser 
mail [ mailto:jehan.procaccia at | jehan.procaccia at ] 

idp Logs show the mail attribute beeing sent (I' ve tuned attribute-resolver-ldap and attribute-filter accordingly) 

2020-06-30 09:39:57,508 - INFO [Shibboleth-Consent-Audit.SSO:241] - 20200630T073957Z|recruitee|AttributeReleaseConsent|procacci|eduPersonAffiliation,eduPersonPrincipalName, mail ,uid||true,true,true,true 
2020-06-30 09:39:58,020 - INFO [Shibboleth-Audit.SSO:241] - 20200630T073958Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|id159350278334557498112459464|recruitee| [,mail,eduPersonAffiliation,eduPersonPrincipalName%7CAAdzZWNyZXQxwSpUSitPxSmXP1JxAvZXo5KQuC/cqsDzaNuOKUX1R+Jhr7Q+152EA56poSnHtxN5pkxaZrq+DeKq/BRhfwKS8maplHicpVx2toRhrzkqMBU=%7C_069191cc01280baab086b257f0206648%7C |||urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_f3ebd2a2a9daa2b82b2c2ca56e0d8237|procacci|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,mail,eduPersonAffiliation,eduPersonPrincipalName|AAdzZWNyZXQxwSpUSitPxSmXP1JxAvZXo5KQuC/cqsDzaNuOKUX1R+Jhr7Q+152EA56poSnHtxN5pkxaZrq+DeKq/BRhfwKS8maplHicpVx2toRhrzkqMBU=|_069191cc01280baab086b257f0206648| ] 

But the SP provider keeps replying that the attribute Mail wasn't received . 

Do you know of other success attributes exchange with Samly lib ? 
do you think I should change settings on my IDP side to enable the Mail attribute to be received on the SP side ? 

For example in my idp-metadata.xml that I sent to that SP I see AttributeService Binding SAML2 commented, allowing that SOAP AttributeQuery could be a workaround ? 

<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location=""/> 
<!-- <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location=""/> --> 
<!-- If you uncomment the above you should add urn:oasis:names:tc:SAML:2.0:protocol to the protocolSupportEnumeration above --> 

Thanks . 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list