LDAP authentication and attribute release to sp failed

s chang shirleyc2003 at yahoo.com
Tue Nov 17 07:47:51 UTC 2020 

 I tried with uid,sAMAccountName and mail in the search filter. none of them worked: 
idp.attribute.resolver.LDAP.searchFilter       = (uid=$resolutionContext.principal)

idp.attribute.resolver.LDAP.searchFilter       = (sAMAccountName=$resolutionContext.principal)

idp.attribute.resolver.LDAP.searchFilter       = (mail=$resolutionContext.principal)

 

from the log, the userlogin succeed. only attribute did not pop in response: 

2020-11-17 05:50:27,104 -10.2.16.9 - INFO [org.ldaptive.auth.Authenticator:311] - Authenticationsucceeded for dn: admin at contoso.com

2020-11-17 05:50:27,104 -10.2.16.9 - INFO[net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:152] -Profile Action ValidateUsernamePasswordAgainstLDAP: Login by 'admin at contoso.com'succeeded
2020-11-17 05:50:28,979 -10.2.16.9 - INFO [Shibboleth-Audit.SSO:275] -20201117T055028Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|id-4b1022bd-66cd-4aea-83cf-285cb744afae|http://fs.contoso.com/adfs/services/trust|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp01/idp|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_26c1d15842a551b17353cd80e3bc004a|admin@contoso.com|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport||*******|_4623b9ecdf3eb1aab36a9d327119251a|true

thanks,SC
--------------------------------------
    On Monday, November 16, 2020, 09:36:58 PM PST, Nate Klingenstein <ndk at signet.id> wrote:  
 
 SC,

> ldap.properties
> 
> idp.authn.LDAP.authenticator        
>           = adAuthenticator
> 
> idp.attribute.resolver.LDAP.searchFilter      
>  = (mail=$resolutionContext.principal)

It's just a guess, but your most likely problem is that your searchFilter is looking for LDAP entries that have a "mail" attribute that matches whatever the principal name was that was typed in.  Unless your users are authenticating with their email address as their username, there will be no matches, and you won't have any entry to pull mail from.  You may want to change that to uid= or something similar.

Beyond that, you would have to look at your IdP logs for more information.

Take care,
Nate.

--------
Signet, Inc.
The Art of Access ®

https://www.signet.id
  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201117/4f740441/attachment.htm>

More information about the users mailing list