Force a fixe value for a Mapped AttributeDefinition (DocuSign AccountID)

Jehan PROCACCIA jehan.procaccia at tem-tsp.eu
Thu Jan 28 22:16:14 UTC 2021 

you are right , I am "guessing" how to build that static attribute and fail to do it . 
the thing is that Docusign expect to Map attributes on their urn/oid name and not friendlyName, so I need an AttributeEncoder (here  named: "urn:oid:1.3.6.1.4.1.7391.5.1.1.1", see my corrected definition below with an Encoder in a simple attributeDefinition: 

<DataConnector id="staticDSAccountID" xsi:type="Static">
    <Attribute id="staticDSAccountID">
        <Value>6bf9cfa7-d539-45d1-8a4c-2f9b17574a12</Value>
    </Attribute>
</DataConnector>

<AttributeDefinition xsi:type="Simple" id="staticDSAccountID">
         <AttributeEncoder xsi:type="SAML2String"
                name="urn:oid:1.3.6.1.4.1.7391.5.1.1.1" friendlyName="staticDSAccountID" />
</AttributeDefinition>


Now the IDP can start without error, but still my static attribute "staticDSAccountID" doesn't seem to be resolved/created and is not delivered to the SP , althougt I did allow it in the attribute-filter :

 <AttributeFilterPolicy id="DocuSignAttr">
        <PolicyRequirementRule xsi:type="OR">
            <Rule xsi:type="Requester" value="https://shibattrviewer.mydomain.eu/sp" />
            <Rule xsi:type="Requester" value="https://account-d.docusign.com/organizations/secret/saml2" />
        </PolicyRequirementRule>

        <AttributeRule attributeID="mail" permitAny="true" />
        <AttributeRule attributeID="givenName" permitAny="true" />
        <AttributeRule attributeID="sn" permitAny="true" />
        <AttributeRule attributeID="employeeType" permitAny="true" />
        <AttributeRule attributeID="staticDSAccountID" permitAny="true" />
</AttributeFilterPolicy>

did I missed something else ?

----- Mail original -----
De: "Cantor, Scott" <cantor.2 at osu.edu>
À: "users" <users at shibboleth.net>
Envoyé: Jeudi 28 Janvier 2021 22:46:06
Objet: Re: Force a fixe value for a Mapped  AttributeDefinition (DocuSign AccountID)

On 1/28/21, 4:35 PM, "users on behalf of Jehan PROCACCIA" <users-bounces at shibboleth.net on behalf of jehan.procaccia at tem-tsp.eu> wrote:

>    anyway, I'am still having a hard time to create the static attribute for the DS accountID I need , here's how I defined it

I don't know what you're looking at, but you can't have encoders defined in a data connector. None of our examples should do that, and none of the reference material should say that you can do that.

Custom attributes don't have pre-existing transcoding rules so you have to either create a custom transcoding rule if you want to avoid a SimpleAttributeDefinition, or add a SimpleAttributeDefinition on top to use an AttributeEncoder.

-- Scott


-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list