configure multiple name formats in SP attribute extractor
Prasanth Kumar K
kprasanthk at gmail.com
Wed Jan 27 14:20:22 UTC 2021
In our Shib SP we try to extract and decode the attribute "memberOf" from
multiple IdPs during assertion. since our SP supported by multiple IdPs.
The problem, we are facing each IdP sends a different nameFormat.
IdP1 sending below saml response
<Attribute Name="memberOf">
<AttributeValue>abc</AttributeValue>
<AttributeValue>def</AttributeValue>
</Attribute>
IdP2 sending below saml reponse
<saml:Attribute Name="memberOf"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" >
<saml:AttributeValue xsi:type="xs:string">eln</saml:AttributeValue>
</saml:Attribute>
In our shib sp we have configured like below to extract "memberOf "
attribute
<Attribute name="memberOf"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
id="memberOf">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
The above sp config doesn't seems to be working when IdP2 sends
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Also, reading shib doc says expect
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" from Sp
side. refer here
https://wiki.shibboleth.net/confluence/display/SP3/XMLAttributeExtractorExamples
How to configure SP's attribute extractor for multiple nameformats of the
same attribute? so that, we can able to extract and decode the attribute
during saml assertions.
Thank you,
Prasanth K
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210127/035f9025/attachment.htm>
More information about the users
mailing list