Hello!

Peter Schober peter.schober at univie.ac.at
Thu Jul 16 13:02:18 UTC 2020 

Please keep replies to the list. Community support for
Free/Libre/OpenSource software doesn't work with private messages.

* VSK Manikanta <krishnamanikanta.v at gmail.com> [2020-07-16 14:19]:
> I have added the line that you have mentioned
> 
> line 16  <Attribute name="urn:oid:2.5.4.4" id="TeamcenterUserID" >
> line 17          <Attribute name="TeamcenterUserID" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="TeamcenterUserID"/>
> line 18  </Attribute>

That's not correct and also doesn't make any sense. Why would you
nest an Attribute with one name within an Attribute with another name?
If you're unsure and the documentation doesn't help at least look at
the default version of the file you're changing. That should
illustrate how to have multiple 'Attribute' XML elements in there.

Also, "urn:oid:2.5.4.4" is the standard name for surname, so I
wouldn't change that definition. Unless the IDP is misconfiguired and
actually sends "TeamcenterUserID" in the attribute meant for a
person's surname. Weird and nonsensical, but technically possible.

So move the 'Attribute' XML element for the "TeamcenterUserID" SAML
attribute name to become a sibling to all the other 'Attribute' XML
elements in that file, instead of as a child element of one of them:

<Attribute name="urn:oid:2.5.4.4" id="TeamcenterUserID"/>
<Attribute name="TeamcenterUserID" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="TeamcenterUserID"/>

> I am using TeamcenterUserID as id earlier I was using uid

You're free to do whatever you want, esp assigning whatever internal
id to the attribute mapped from SAML as that will be private to the SP
you're doing that on.
But the 'name' XML attribute must match the SAML Attribute Name as
sent on the wire. And from the log you shared earlier the IDP sends
the "uid" attribute:

> Shibboleth.AttributeExtractor.XML [1] [default]: skipping unmapped
> SAML 2.0 Attribute with Name: uid,
> Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic

So unless the IDP now sends something else you'd still have to map the
"uid" attribute to whatever internal id you prefer.

-peter

More information about the users mailing list