LDAP authentication and attribute release to sp failed
Matthew Slowe
Matthew.Slowe at jisc.ac.uk
Tue Nov 17 09:02:53 UTC 2020
> On 17 Nov 2020, at 03:23, s chang via users <users at shibboleth.net> wrote:
>
> Attribute-Resolver.xml
>
> <AttributeDefinition xsi:type="Simple" id="mail" sourceAttributeID="mail">
>
> <InputDataConnector ref="myLDAP" attributeNames="mail"/>
>
> <AttributeEncoder xsi:type="SAML1String" encodeType="false" name="urn:mace:dir:attribute-def:mail"/>
>
> <AttributeEncoder xsi:type="SAML2String" encodeType="false" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail"/>
>
> </AttributeDefinition>
This may seem obvious, but, just in case… do you have a <DataConnector> block and is it working? You probably do or the IdP probably won't start correctly but it's worth a sanity check :-)
I'd turn up the DEBUG logs on the IdP and see what's being processed and what's being sent to the SP... stick these in idp.properties and restart and re-test:
idp.loglevel.idp=DEBUG
idp.loglevel.messages=DEBUG
idp.loglevel.encryption=DEBUG
You'll get a *lot* of messages but you should be able to trace the "mail" attribute being retrieved from LDAP and, turned into a SAML attribute and then pass through the filter and finally be turned into an assertion and sent off to the SP.
--
Matthew Slowe (GPG: 0x6BE0CF7D04600314)
Technical Specialist - Trust & Identity, Jisc
Team: 0300 300 2212, option 2
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
More information about the users
mailing list