OIDC: placeToIDToken replacement in the latest version?
lrhazi at cua.edu
Thu Aug 26 03:07:14 UTC 2021
Works as advertised . Thank you!
On Wed, Aug 25, 2021 at 10:00 PM Wessel, Keith <kwessel at illinois.edu> wrote:
> Correct, placeToIdToken and denyUserInfo are no longer allowed on
> attribute definitions. Instead, you set the attributes that should be
> included in the ID token or not allowed in userinfo in the properties in
> # "Always included" attributes are forced into ID tokens for all
> idp.oidc.alwaysIncludedAttributes = myDisplayName,email
> # "Denied" attributes are omitted from the UserInfo token
> idp.oidc.deniedUserInfoAttributes = some,other,attributes
> By default, the only claims that will be placed in the ID token are the
> standard OIDC reserved claims, and by default every released claim will be
> allowed in the userinfo. So, you can get back the placeToIdToken behavior
> by adding the names of those attributes to the first property above.
> From: users <users-bounces at shibboleth.net> On Behalf Of Mohamed Lrhazi
> Sent: Wednesday, August 25, 2021 7:56 PM
> To: Shib Users <users at shibboleth.net>
> Subject: OIDC: placeToIDToken replacement in the latest version?
> I am trying to recreate an old working config in a new installation using
> the latest shib idp and OIDC plugin.
> How do I add attributes to the response token? In the previous version I
> think I had to add the attribute to the attribute definition in
> attribute-resolve.xml. In the new version am getting:
> shib-idp;idp-process.log;dev;nothing;Caused by:
> org.xml.sax.SAXParseException: cvc-complex-type.3.2.2: Attribute
> 'placeToIDToken' is not allowed to appear in element 'AttributeEncoder'.
> I also see this in the log:
> - DEBUG
> - Profile Action AddAttributesToClaimsSet: Attribute myDisplayName not
> targeted for ID Token
> - DEBUG
> - Profile Action AddAttributesToClaimsSet: Attribute email not targeted for
> ID Token
> Thanks a lot,
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users