configure multiple name formats in SP attribute extractor

Prasanth Kumar K kprasanthk at gmail.com
Wed Jan 27 14:20:22 UTC 2021


In our Shib SP we try to extract and decode the attribute "memberOf" from
multiple IdPs during assertion. since our SP supported by multiple IdPs.
The problem, we are facing each IdP sends a different nameFormat.

IdP1  sending below saml response
<Attribute Name="memberOf">
<AttributeValue>abc</AttributeValue>
<AttributeValue>def</AttributeValue>
</Attribute>

IdP2 sending below saml reponse
<saml:Attribute Name="memberOf"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" >
<saml:AttributeValue xsi:type="xs:string">eln</saml:AttributeValue>
</saml:Attribute>

In our shib sp we have configured like below to extract  "memberOf "
attribute

<Attribute name="memberOf"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
id="memberOf">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>

The above sp config doesn't seems to be working when IdP2 sends
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"

Also, reading shib doc says expect
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" from Sp
side. refer here
https://wiki.shibboleth.net/confluence/display/SP3/XMLAttributeExtractorExamples

How to configure SP's attribute extractor for multiple nameformats of the
same attribute? so that, we can able to extract and decode the attribute
during saml assertions.

Thank you,
Prasanth K
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210127/035f9025/attachment.htm>


More information about the users mailing list