Resolving attributes from a SAML proxy

Wessel, Keith kwessel at
Fri Oct 8 18:07:41 UTC 2021

Well, duh. I haven't had to deal with unspecified (broken) attribute name formats in a while, and I had forgotten about that. Thank you.

Now, though, the attribute predicate is complaining that it can't find the attribute resolution context:

2021-10-08 12:48:12,858 - WARN [net.shibboleth.idp.profile.logic.AbstractAttributeP
redicate:105] - No AttributeContext located for evaluation

Am I supposed to call test and pass the prc as input from my function?

                if (custom["mfaAuthnClaimCondition"].test(input)) {

Seems like that's working or it at least wouldn't be able to complain about n ot finding the attribute resolution context. Vut I'm wondering if I need to pass something else other than the prc in? Or do I need to run attribute resolution first? Looks like, from the log, that's running already.


-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott
Sent: Friday, October 8, 2021 11:50 AM
To: Shib Users <users at>
Subject: Re: Resolving attributes from a SAML proxy

On 10/8/21, 12:14 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

>    I suspected an attribute format issue, but I can't figure out what it's supposed to be because Microsoft is
> very bare bones in the attribute statement:

saml2.nameFormat = urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

The IdP works the same as the SP's attribute map. We believe that Attribute NameFormat should always be "....uri" so that's the default, and anything else has to be spelled out. We made *our* default behavior simpler to specify, not how other people do things (incorrectly in my view).

-- Scott

For Consortium Member technical support, see;!!DZ3fjg!uoF18zpL_LAyPPuD5QODV3-3yv9m78yf1I6qGhmqOipR-vuDHzkipfB6HrF1CawWWg$ 
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list