Resolving attributes from a SAML proxy
Wessel, Keith
kwessel at illinois.edu
Fri Oct 8 18:07:41 UTC 2021
Well, duh. I haven't had to deal with unspecified (broken) attribute name formats in a while, and I had forgotten about that. Thank you.
Now, though, the attribute predicate is complaining that it can't find the attribute resolution context:
2021-10-08 12:48:12,858 - WARN [net.shibboleth.idp.profile.logic.AbstractAttributeP
redicate:105] - No AttributeContext located for evaluation
Am I supposed to call test and pass the prc as input from my function?
if (custom["mfaAuthnClaimCondition"].test(input)) {
Seems like that's working or it at least wouldn't be able to complain about n ot finding the attribute resolution context. Vut I'm wondering if I need to pass something else other than the prc in? Or do I need to run attribute resolution first? Looks like, from the log, that's running already.
Keith
-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Friday, October 8, 2021 11:50 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Resolving attributes from a SAML proxy
On 10/8/21, 12:14 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:
> I suspected an attribute format issue, but I can't figure out what it's supposed to be because Microsoft is
> very bare bones in the attribute statement:
saml2.nameFormat = urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
The IdP works the same as the SP's attribute map. We believe that Attribute NameFormat should always be "....uri" so that's the default, and anything else has to be spelled out. We made *our* default behavior simpler to specify, not how other people do things (incorrectly in my view).
-- Scott
--
For Consortium Member technical support, see https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!DZ3fjg!uoF18zpL_LAyPPuD5QODV3-3yv9m78yf1I6qGhmqOipR-vuDHzkipfB6HrF1CawWWg$
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list