turning on ignoreUnmappedEntityAttributes

Wessel, Keith kwessel at illinois.edu
Wed Aug 11 18:51:46 UTC 2021

Easy enough. Thanks, Scott.


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Wednesday, August 11, 2021 12:02 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: turning on ignoreUnmappedEntityAttributes

"Mapped" means "has a transcoding/decoding rule to turn the SAML Attribute into an IdPAttribute".

Ignoring unmapped attributes means that it doesn't try to walk the XML and match on SAML names. It only evaluates pre-mapped, cached, decoded IdPAttributes that are stashed internally in hash maps along with the metadata objects for optimization.

The code that does the decoding will look for actual decoding rules in the registry service and if it doesn't find any, it will auto-decode anything that's got the URI NameFormat by creating a mapped IdPAttribute with the name matching the original URI name. This is "safe" because it assumes that if the format is a URI then it is unique and safe to decode without unintended collisions.

So in short, anything without the right NameFormat is ignored unless you define a transcoding rule for it.

In shorter short, always use NameFormat="...URI" and the IdP is happy. All the other values were dumb and never should have existed to begin with.

-- Scott

For Consortium Member technical support, see https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!DZ3fjg!rABpb0flbJr2OkjE-gnv_e2FkoPbJV_D1EXa7vjkze_xNokjo5iXHCBfp3X1pBHW-Q$ 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list