shibboleth Idp attributes with vendor SP using Samly

Peter Schober peter.schober at
Fri Jul 10 10:56:43 UTC 2020

* Jehan PROCACCIA <jehan.procaccia at> [2020-07-09 19:19]:
> SSO SAML exchanges do seem to works fine , but although my
> shibboleth IDP (v3.3.1, trying also 4.0.1 ... ) does send attributes
> (mail required) to that SP , the SP doesn't seem to read/consume
> them.

What exact attribute name and nameformat does the SP expect?
Probably that's simply something else than what your IDP is sending?

> attribute consentment page does show in my web browser 
> mail [ jehan.procaccia at ]

Well, what the IDP is sending on the wire will look like

  <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <AttributeValue>peter.schober at</AttributeValue>

so those exact data points (name, nameformat) is what the SP would
need to be looking for.

> idp Logs show the mail attribute beeing sent (I' ve tuned attribute-resolver-ldap and attribute-filter accordingly)

There there's no reason to doubt that your IDP is sending it.

> But the SP provider keeps replying that the attribute Mail wasn't received.

As with other forms of "but it doesn't work": Sadly that's not a
technical error report that would allow anyone to help you diagnose
your problem.

> For example in my idp-metadata.xml that I sent to that SP I see
> AttributeService Binding SAML2 commented, allowing that SOAP
> AttributeQuery could be a workaround?


You'll need to find out how to make the SP look at the concrete data
your IDP sent.
Or otherwise find out how to make your IDP send the concrete data that
the SP expects, if and only if the SP cannot be configured to look at
the concrete data your IDP sends.


More information about the users mailing list