Resolving attributes from a SAML proxy

Wessel, Keith kwessel at illinois.edu
Fri Oct 8 16:14:03 UTC 2021


No, I'm using a function. In the mess of everything else in my last note, I mentioned that the predicate is in my custom object map that the function is using. The predicate isn't being used directly by the hook; it's being used by the function.

I suspected an attribute format issue, but I can't figure out what it's supposed to be because Microsoft is very bare bones in the attribute statement:

        <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
            <AttributeValue>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AttributeValue>
            <AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/unspecified</AttributeValue>
            <AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
        </Attribute>

Since no format or type is specified, what kind of defaults should I assume and tell my transcoder rule to look for?

Keith

-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Friday, October 8, 2021 11:03 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Resolving attributes from a SAML proxy

Well, you have to get rid of the warning obviously, so something's wrong with the rule. Is the Attribute NameFormat what you think it is? I don't know what Microsoft actually does.

Pre-requesting attributes is about using attributes in activation conditions inside the resolver. If you're not doing that, you have no reason to be dealing with that.

In addition, the authnContextTranslationStrategyEx hook is a Function, not a Predicate. You can't plug in a Predicate there, but if you did it would just break outright and not even load, so I don't think that's what you're actually doing, or you're missing something else in the log. If that were plugged into relying-party.xml, that service would be failing to start up.

The rule/warning issue is obviously the main thing though. Other than the NameFormat not being right or some kind of typo in the name, I don't know what else would break it.

-- Scott



-- 
For Consortium Member technical support, see https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!DZ3fjg!ucpvJUVDQKuxmOHPdsxSYlAaX4Tawvhm0GqyBCdJpkc-uVnDtt2y_c0yVz4u9bEyVA$ 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net


More information about the users mailing list