Issue with upgrade 3.3 to 4.1 no attributes released

Powell, Keith A PowellKeithA at
Wed Nov 10 22:28:07 UTC 2021

Maybe I should have phrased my query more simply: What sort of issues / configuration files would I look for after users have already authenticated, been presented with the attribute consent form, hit ok in the browser? I do believe that some SAML response  is not making it to or being properly communicated to the SP.

On your second point, I realize it may appear that I just upgraded without modifying the required config and property files since I didn't clearly stat that. I have a very clean startup, and debug is not providing a relevant error. It would be impossible to have gotten far enough in the authentication process to have attributes presented to the users browser to approve on their consent form if I had that many issues with the attribute-resolver configuration and IDP startup. I can see clearly in the debug logs that ldap is working and the attributes are being built.

This is the last thing I see in the debug line:
2021-11-10 12:13:10,405 - INFO [Shibboleth-Audit.SSO:283] - 2021-11-10T18:13:10.405008Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_lfskrohz0yd34xv0girdczvgmbkmkz5ectuxmom||||urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_3626c31ec7a54a19bcd8317d5f5c3da5|banksjohnsoncatricer|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|eduPersonAssurance,eduPersonPrincipalName,mail,surname,givenName|AAdzZWNyZXQxtYfi6WzUVobWre7WatOkdktOnoQg5RfoanQNNZZNi96t8ujbnyf8ELt+3rQ09pvpi81tPrZVxkxddYhINqIKsOC0ce91+2enMg0ZV+OhRHpD+sO+tD6figcGSozGZUHV2tEkBZGWcpRPc3dItV2YW6zaRLUY|_323d99a77004a80340dd5d5b6b087499|


On 11/10/21, 2:45 PM, "users on behalf of Cantor, Scott" <users-bounces at on behalf of cantor.2 at> wrote:

    On 11/10/21, 3:31 PM, "users on behalf of Powell, Keith A" <users-bounces at on behalf of PowellKeithA at> wrote:

    >    I will say the issue is not with CAS specifically. Basically we cannot finish the authentication to any endpoint. 

    Authentication in the IdP is quite distinct from attributes. If you generate a valid SAML response, the IdP is essentially working. The rest is about attributes and that's logged in some detail.

    > Each tested end point says the IDP is not sending attributes after the move from 3.4.8 to 4.0.

    Then the log should say why very explicitly. Either they're not resolved or they're filtered out.

    And you cannot ignore explicit errors long before you ever get that far about basic subsystems not even starting up. My guess is the resolver or filter services aren't even live and are simply doing nothing because of that.

    -- Scott

    For Consortium Member technical support, see 
    To unsubscribe from this list send an email to users-unsubscribe at

Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

More information about the users mailing list