Not getting attributes

Matthews, Lee (NIH/NIDDK) [E] lee.matthews at nih.gov
Thu Apr 1 10:03:02 UTC 2021


Hello Nate,
Thanks very much your assistance.
Once the entries that you specified were added, I was able to see the attributes and I was able to get the application to work.

Best regards,

Lee Matthews


________________________________
From: Nate Klingenstein <ndk at signet.id>
Sent: Wednesday, March 31, 2021 3:36 PM
To: Shib Users <users at shibboleth.net>; users at shibboleth.net <users at shibboleth.net>
Cc: Matthews, Lee (NIH/NIDDK) [E] <lee.matthews at nih.gov>
Subject: RE: Not getting attributes

Lee,

> 2021-03-31 14:03:09 INFO Shibboleth.AttributeExtractor.XML [1] [default]: skipping SAML 2.0 Attribute with Name: email address, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

All attribute Names are presumed in the default configuration to be specification-compliant, and all the attributes'  NameFormats are defaulted to urn:oasis:names:tc:SAML:2.0:attrname-format:uri.  You can add your own attributes, of course, but they should use attributes that are declared in a namespace that you own and using a NameFormat that is, well, actually specified.  As it is, your "email address" would be highly likely to collide with someone else's email address, and they may have completely different semantics, such as which characters are permitted and whether multiple values are allowed.  It's best to use a standard attribute if possible, and if not, define your own and make that definition clear, and when confronted by this, bite the bullet and map the attribute anyway.

> I am not sure what I am missing.

Attributes mappings.  Keeping in mind all the above about this being a bad set of attributes, you can accept the attributes that you're receiving right now without any modification to the IdP by adding the following to /etc/shibboleth/attribute-map.xml:

<Attribute name="email address" id="mail" />
<Attribute name="FirstName" id="firstName" />
<Attribute name="LastName" id="lastName />
<Attribute name="eduperson Principal Name" id="eduPersonPrincipalName" />

Note that the last one is particularly ugly, since it does have a well-specified and widely-used SAML and LDAP name, but it'll work.

https://wiki.shibboleth.net/confluence/display/SP3/XMLAttributeExtractorExamples

I'm not entirely sure that you can have spaces in an attribute name, but you probably can.  I haven't validated that unspecified attribute NameFormats are passed through, but the Wiki is my holy book, and I follow its writings to the Cantor 3:21.

The better long-term fix would be for the IdP to release standard attribute names, but I fully understand what a challenge that is.

Best,
Nate.

--------
Signet, Inc.
The Art of Access ®

https://www.signet.id
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210401/8a3ca50b/attachment.htm>


More information about the users mailing list