Question on Shibboleth V3 ( Migration from older Shibboleth?

s chang shirleyc2003 at
Sun Nov 15 20:21:26 UTC 2020

 ok, thanks! we saw something was incorrect with mapping attribute we will fix. 

    On Friday, November 13, 2020, 11:26:23 AM PST, Peter Schober <peter.schober at> wrote:  
 * s chang via users <users at> [2020-11-13 19:02]:
> We were using old Shibboleth build, the existing oid mapping is not
> work after upgrade to V3.

Not sure what kind of answer you expect here. The only OID in your
example "code" was that of the eduPersonPrincipalName attribute and
the URI "urn:oid:" is still the formal name of
the eduPersonPrincipalName attribute for use with the SAML 2 protocol.

So whatever your problem is, it is NOT the result of that OID having
become "bad" in the meantime.

You'll need to explain what "oid mapping is not work" means.
If that's literally the case the problem is not with the Shibboleth
software because that's not where the "oid mapping" occurs, right?

Look at the output of the IDP, e.g. using the aacli:

/opt/shibboleth-idp/bin/ --saml2 -n SOME_USER -r

and determine whether that's correct/expected.

If you still have a copy of the old server around somewhere (before
the upgrade to IDPv3) you could also compare it with the output from
the old system.
You could also post the resulting SAML here and we can tell you
whether that looks sane, at least with regards to the
eduPersonPrincipalName attribute.

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list