Issue with upgrade 3.3 to 4.1 no attributes released

Cantor, Scott cantor.2 at
Fri Nov 12 19:22:08 UTC 2021

>    Well this precisely where I believe the issue is. After upgrading to 4.0, the IDP would not startup without 
> tons of error and warnings around the attribute-resolver.xml file and I had to rebuild it from scratch to clear
> up any warnings and present attributes that were visible to the attribute release consent form.

That's the point of going to 3.4 and fixing all of the warnings first. Everything else is largely compatible.

> The documentation really doesn't provide end-to-end how to encode these.

Yes, it does. The old way of doing things is documented the same as before in the AttributeEncoder material, and the new material is under the AttributeRegistryConfiguration topic, including how to adjust an upgraded system to start leveraging the new features and how to go look at all the built-in rules.

>    That led me to believe that I was not responsible for encoding the attributes in the attribute-resolver.xml file
> and this was be handles elsewhere.

An upgraded system that isn't messed with will process the old resolver file the same as it did before to ensure the old Encoders apply. It will do that instead of loading the built-in rules so that you don't end up with duplicates. A new install of V4 just loads the default rules and won't honor AttributeEncoder elements unless you adjust it to do so.

>    My 4.0 and 4.1.4 eduPersonPrinicpalName looks like this since this not translated through the upgrade
> process and this was the best I could figure out from the documentation:
>        <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Simple">

An upgraded IdP will not process the default rules that the new registry service provides. You ended up breaking it in the worst possible way, by short-circuiting it from using the new approach by upgrading, but removing all of your old encoders at the same time by slapping in a "new" resolver configuration.

The documentation of the Registry service covers how to take an upgraded system and wire in the default rules once you want them to operate by adjusting/adding to services.xml.

>    The other question I have regarding that is how do you encode attribute being returned from LDAP?
> That is something else I had to manually fix because the upgrade did not translate my settings and put defaults
> that were irrelevant to my setup. 

The upgrade does not touch your resolver file, you made that change. You need to take your older file and put it back if you want to avoid all these problems and if that's broken, then you need to fix the namespaces on whatever elements are broken, which is what 3.4 warns about. Or just feed it into 3.4 to get the warnings.

-- Scott

More information about the users mailing list