Question on Shibboleth V3 ( Migration from older Shibboleth?

Peter Schober peter.schober at
Fri Nov 13 19:26:05 UTC 2020

* s chang via users <users at> [2020-11-13 19:02]:
> We were using old Shibboleth build, the existing oid mapping is not
> work after upgrade to V3.

Not sure what kind of answer you expect here. The only OID in your
example "code" was that of the eduPersonPrincipalName attribute and
the URI "urn:oid:" is still the formal name of
the eduPersonPrincipalName attribute for use with the SAML 2 protocol.

So whatever your problem is, it is NOT the result of that OID having
become "bad" in the meantime.

You'll need to explain what "oid mapping is not work" means.
If that's literally the case the problem is not with the Shibboleth
software because that's not where the "oid mapping" occurs, right?

Look at the output of the IDP, e.g. using the aacli:

/opt/shibboleth-idp/bin/ --saml2 -n SOME_USER -r

and determine whether that's correct/expected.

If you still have a copy of the old server around somewhere (before
the upgrade to IDPv3) you could also compare it with the output from
the old system.
You could also post the resulting SAML here and we can tell you
whether that looks sane, at least with regards to the
eduPersonPrincipalName attribute.


More information about the users mailing list