LDAP authentication and attribute release to sp failed

Matthew Slowe Matthew.Slowe at jisc.ac.uk
Tue Nov 17 09:02:53 UTC 2020

> On 17 Nov 2020, at 03:23, s chang via users <users at shibboleth.net> wrote:
> Attribute-Resolver.xml
> <AttributeDefinition xsi:type="Simple" id="mail" sourceAttributeID="mail">
> <InputDataConnector ref="myLDAP" attributeNames="mail"/>
> <AttributeEncoder xsi:type="SAML1String" encodeType="false" name="urn:mace:dir:attribute-def:mail"/>
> <AttributeEncoder xsi:type="SAML2String" encodeType="false" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail"/>
> </AttributeDefinition>

This may seem obvious, but, just in case… do you have a <DataConnector> block and is it working? You probably do or the IdP probably won't start correctly but it's worth a sanity check :-)

I'd turn up the DEBUG logs on the IdP and see what's being processed and what's being sent to the SP... stick these in idp.properties and restart and re-test:


You'll get a *lot* of messages but you should be able to trace the "mail" attribute being retrieved from LDAP and, turned into a SAML attribute and then pass through the filter and finally be turned into an assertion and sent off to the SP.

Matthew Slowe (GPG: 0x6BE0CF7D04600314)
Technical Specialist - Trust & Identity, Jisc
Team: 0300 300 2212, option 2
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG

More information about the users mailing list