OIDC 2.0 config issue

Mohamed Lrhazi lrhazi at cua.edu
Fri Aug 20 02:38:02 UTC 2021


am using shibboleth 4.0.1 and oidc 2.0.0

I have an RP configured and working fine, releasing many attributes. I
needed to add an extra attribute but it would not work. While debugging, I
tried to completely break it by messing up AttributeFilterPolicy as follows:

<AttributeFilterPolicy id="example.com">
<PolicyRequirementRule xsi:type="AND">
<Rule xsi:type="Requester" value="xexample.com" />
<Rule xsi:type="oidcext:OIDCScope" value="xopenid" />
<AttributeRule attributeID="subject">
<PermitValueRule xsi:type="ANY" />
<AttributeRule attributeID="rokmetro_EMPLID">
<PermitValueRule xsi:type="ANY" />

I added an "x" to cause it to not match anymore.... but the clients still
succeed in getting all the attributes as before! In the log I do see lines
like this for all attributes:

DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:165] -
Attribute filtering engine 'ShibbolethAttributeFilter': no policy permitted
release of attribute rokmetro_EMPLID values

Why are attributes released despite these changes?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210819/434ef35f/attachment.htm>

More information about the users mailing list