Shibboleth/apache/O365 Azure/Reverse Proxy
Peter Schober
peter.schober at univie.ac.at
Thu May 14 16:53:08 UTC 2020
* ptedesco <ptedesco at ims.consulting> [2020-05-14 17:54]:
> I truly appreciate the help, I am coming from a more hardware based
> background.
I doubt there's any career in engineering where one does not have to
read documentation or follow simple instructions -- Did you even have
a look at The Fine Manual?
https://wiki.shibboleth.net/confluence/display/SP3/XMLAttributeExtractor
Or the examples:
https://wiki.shibboleth.net/confluence/display/SP3/XMLAttributeExtractorExamples
> So I tried these with no luck.
>
> <Attribute name="urn:mace:dir:attribute-def:mail" id="SHIB_MAIL"/>
> <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="SHIB_MAIL"/>
> <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
> <Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/>
> <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
> <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
> <Attribute name="urn:mace:dir:attribute-def:samaccountname" id="samaccountname" />
> <Attribute name="urn:oid:1.2.840.113556.1.4.221" id="samaccountname" />
None of these bear any resemblance to the attributes' names your own
log files told you that you were recieving but not mapping:
> > https://shibboleth.1660669.n2.nabble.com/file/t399239/Shibd.log
>
> skipping SAML 2.0 Attribute with Name: http://schemas.microsoft.com/identity/claims/tenantid, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
> skipping SAML 2.0 Attribute with Name: http://schemas.microsoft.com/identity/claims/objectidentifier, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
> skipping SAML 2.0 Attribute with Name: http://schemas.microsoft.com/identity/claims/displayname, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
> skipping SAML 2.0 Attribute with Name: http://schemas.microsoft.com/identity/claims/identityprovider, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
> skipping SAML 2.0 Attribute with Name: http://schemas.microsoft.com/claims/authnmethodsreferences, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
> skipping SAML 2.0 Attribute with Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
> skipping SAML 2.0 Attribute with Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
> skipping SAML 2.0 Attribute with Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
> skipping SAML 2.0 Attribute with Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
So *those* *names* (what comes after "Atribute with Name:" is the
attributes name, shockingly) is what you'd have to add to your
attribute-map.xml if you wanted them to not be skippted/ignored/rejected.
Looking at the example for "unspecified" names in section "Hacky Namig":
https://wiki.shibboleth.net/confluence/display/SP3/XMLAttributeExtractorExamples
all you'd need for the above attributes is this -- for the first attribute:
<Attribute name="http://schemas.microsoft.com/identity/claims/tenantid" id="tenantid"/>
(The value for id is up to you in all cases.)
Maybe you can manage to finish the rest of the attributes on your own?
-peter
More information about the users
mailing list