Attribute not being added to assertion if username is in mixed case

Adam Bishop Adam.Bishop at
Tue Jan 5 15:20:44 UTC 2021

If a user logs into our IDP instance with a mixed case username (e.g. Adam.Bishop rather than adam.bishop), their group membership information is not added to the assertion.

Using case that matches their UID as stored in ldap (i.e. all lower case), it works as expected. I've reproduced it with my own account - the consent screen has no 'member' attribute in the list if I uppercase my username, and the the SP receives no 'member' attribute.

We're running 3.4.8, and upgraded a few days after release so it's possible this is recent breakage. Our configuration is fairly default, just password based login flows to <20 non-federated SP's.

The attribute is defined as:

    <AttributeDefinition id="member" xsi:type="Simple">
        <InputDataConnector ref="ipaGroupQuery" attributeNames="cn" />
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:" friendlyName="member" encodeType="false" />

The ldap search filter is:

The release policy is:

    <AttributeFilterPolicy id="releaseToAll">
        <PolicyRequirementRule xsi:type="ANY" />
        <AttributeRule attributeID="member">
            <PermitValueRule xsi:type="ANY" />

I've configured additional logging, and I can see that the group query is executed, and does return the list of groups (see end of email) - so what could be going on between the LDAP query and the assertion being sent.

It'll probably all work if I set shibboleth.authn.Password.Lowercase but that seems like a hack - if the group list is being returned by LDAP, matches the definition, and passes the filter policy it should be included as far as I understand.

Thanks for any assistance,

Adam Bishop
Senior security architect (systems)

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460


2021-01-05 14:47:29,873 - - DEBUG [org.ldaptive.SearchOperation:168] - execute response=[org.ldaptive.Response at 1501309882::result=[org.ldaptive.SearchResult at -887324086::entries=[[dn=uid=user,cn=users,cn=accounts,dc=domain[[mail[ at]], [ipaUniqueID[**snip**]], [krbLastPwdChange[20200421092040Z]], [title[Normal User]], [objectClass[inetuser, ipasshuser, ipantuserattrs, inetorgperson, ipaobject, krbprincipalaux, organizationalperson, top, person, ipauserauthtypeclass, krbticketpolicyaux, ipaSshGroupOfPubKeys, mepOriginEntry, posixaccount]], [loginShell[/bin/bash]], [uid[user]], [krbPasswordExpiration[20210421092040Z]], [homeDirectory[/home/user]], [givenName[User]], [ipaSshPubKey[*snip*]], [sn[Name]], [entryDN[uid=user,cn=users,cn=accounts,dc=domain]], [manager[uid=user,cn=users,cn=accounts,dc=domain]], [ipaNTSecurityIdentifier[**snip**]], [ou[Null]], [initials[UN]], [gidNumber[100]], [krbPrincipalName[user at DOMAIN]], [cn[User Name]], [uidNumber[100]], [gecos[User Name]], [displayName[User Name]], [memberOf[

** snip giant list of groups **

]], [ipaUserAuthType[otp]]], responseControls=null, messageId=-1]], references=[]], resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1] for request=[org.ldaptive.SearchRequest at -32050967::baseDn=cn=users,cn=accounts,dc=domain, searchFilter=[org.ldaptive.SearchFilter at 664361842::filter=(uid=USER), parameters={}], returnAttributes=[], searchScope=SUBTREE, timeLimit=3000, sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=[[org.ldaptive.handler.DnAttributeEntryHandler at -1580910376::dnAttributeName=entryDN, addIfExists=false]], searchReferenceHandlers=null, controls=null, followReferrals=false, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection at 1379181151::config=[org.ldaptive.ConnectionConfig at 139698044::ldapUrl=ldaps://server1.domain:636 ldaps://server2.domain:636, connectTimeout=3000, responseTimeout=3000, sslConfig=[org.ldaptive.ssl.SslConfig at 1806414996::credentialConfig=org.ldaptive.ssl.CredentialConfigFactory$2 at 7563ad67, trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer at 1511278406::bindDn=uid=sso-bind,cn=users,cn=accounts,dc=domain, bindSaslConfig=null, bindControls=null]], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory at 1840180882::metadata=[ldapUrl=ldaps://server1.domain:636 ldaps://server2.domain:636, count=1], environment={java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory, com.sun.jndi.ldap.connect.timeout=3000, java.naming.ldap.version=3, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,}, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig at 1584406844::operationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, connectionStrategy=org.ldaptive.provider.ConnectionStrategies$ActivePassiveConnectionStrategy at 6534274a, controlProcessor=org.ldaptive.provider.ControlProcessor at 57e4f242, environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection at 5ad91aa0]

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under company number. 05747339, VAT number GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 02881024, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.

Jisc Commercial Limited is a wholly owned Jisc subsidiary and a company limited by shares which is registered in England under company number 09316933, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.

For more details on how Jisc handles your data see our privacy notice here:

More information about the users mailing list