shibboleth Idp attributes with vendor SP using Samly

Jehan PROCACCIA jehan.procaccia at tem-tsp.eu
Wed Jul 15 15:28:33 UTC 2020 

Hello

thank you for those precious advices and link
the remote party finnaly manage to get our mail attribute (called email on their side !) 
so then, everything  was fine with that "old" idp v3.3.1, 
Now I move to idp v 4.0.1 , unfortunatly now it fails again on their side , before attributes exchange, at the SSO stage, with certificate check :-( 
The issue they see is "cert_not_accepted". 
indeed , we miss logs and detail information from the remote party, but I cannot get them directly and I have to reverse engineer/guess what could be wrong on both sides . 
I compared my IDP configurations from v3.3.1 to v4.0.1 , they don't seem to change a lot exept from the size of the x509 cert "signing" which is "bigger" in latest version .
this cert was auto-generated when I ran the initial install.sh script, 
could there be compatibility issue in term of size of certs ? 
is there a way to check the keysize used by the install script ?

thanks .

----- Mail original -----
De: "Peter Schober" <peter.schober at univie.ac.at>
À: "users" <users at shibboleth.net>
Envoyé: Vendredi 10 Juillet 2020 13:04:49
Objet: Re: shibboleth Idp attributes with vendor SP  using Samly

* Peter Schober <peter.schober at univie.ac.at> [2020-07-10 12:57]:
> * Jehan PROCACCIA <jehan.procaccia at tem-tsp.eu> [2020-07-09 19:19]:
> > SSO SAML exchanges do seem to works fine , but although my
> > shibboleth IDP (v3.3.1, trying also 4.0.1 ... ) does send attributes
> > (mail required) to that SP , the SP doesn't seem to read/consume
> > them.
> 
> What exact attribute name and nameformat does the SP expect?
> Probably that's simply something else than what your IDP is sending?

Try section "Customization" in the docs you referenced
https://hexdocs.pm/samly/readme.html#customization
adding a "Plug Pipeline" (whatever that is) that maps the on-the-wire
formal attribute names your IDP is sending to application-internal
attribute names.

E.g. where in the example code within compute_attributes() it does:

  assertion = conn.private[:samly_assertion]
  first_name = Map.get(assertion.attributes, "first_name")
  last_name  = Map.get(assertion.attributes, "last_name")

you should probably have (sticking with the example of first and last name):

  assertion = conn.private[:samly_assertion]
  first_name = Map.get(assertion.attributes, "urn:oid:2.5.4.42")
  last_name  = Map.get(assertion.attributes, "urn:oid:2.5.4.4")

To get at the mail attribute you'd have to look for the appropiate
formal name of the mail attribute your IDP is sending, of course.

Best,
-peter
-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list