Get assertion attributes in my Spring boot application

Ana Sustic ana at
Wed Sep 15 08:32:14 UTC 2021

Hi Peter
Thanks so much for your detailed answer.

You were correct in saying something was not correct between the SP and
IDP.  That is working correctly now and in this is what
/Shibboleth.sso/Session returns after I authenticate:

*Miscellaneous**Session Expiration (barring inactivity):* 479
minute(s)*Client Address:**SSO Protocol:*
urn:oasis:names:tc:SAML:2.0:protocol*Identity Provider:*
https://hostname/idp/shibboleth*Authentication Time:*
2021-09-15T07:14:11.975Z*Authentication Context Class:*
Context Decl:* (none)
*Attributes**affiliation*: 1 value(s)*eduPersonUniqueId*: 1
value(s)*givenName*: 1 value(s)*homeOrganization*: 1
value(s)*homeOrganizationType*: 1 value(s)*mail*: 1
value(s)*persistent-id*: 1 value(s)*scoped-affiliation*: 1
value(s)*surname*: 1 value(s)

I am using Apache Tomcat/7.0.76 and HTTP Reverse Proxying. I am not sure
what you mean when you say "looping over all attributes may not work". I
apologise  if this was already asked on the mailing list. I am new to the

When I now access the protected resource and authenticate to the IdP I get
the response from the ErrorController as if the mapping for my resource
would not exist.

public class AppErrorController implements ErrorController{
    private final static String PATH = "/error";
    public String getErrorPath() {
        // TODO Auto-generated method stub
        return "No Mapping Found";


Thanks and best regards

On Tue, Sep 14, 2021 at 9:09 PM Peter Schober <peter.schober at>

> * Ana Sustic <ana at> [2021-09-14 20:28]:
> > I have a spring boot application running on Apache Tomcat/7.0.76.
> > Shibboleth SP is running on Apache server. The resource
> > /attributes/view is secured using shibboleth.
> Then first verify that the Apache httpd (and IDP) side of things are
> working as expected.
> Your /Shibboleth.sso/Session not showing any attributes is not a good
> sign and simply means you can't expect anything after that, i.e.,
> Tomcat, to show any attributes.
> > I have no previous experience with Shibboleth secured resources and
> > would like to get the attributes in my application.
> The Shib SP write its ownlog files so that's where you'd look next.
> transaction.log has successfully mapped attributes (probably none
> at this point), shibd.log has everything else.
> > This is my controller:
> The Java doesn't factor into this, yet.
> (And looping over all attributes may not work, either, as discussed
> numerous times on this list. That's meant for later, once you have
> your web server and/or the IDP configured correctly and the Shib SP is
> showing attributes.
> Also for later is that you didn't mention how you integrated Apache
> httpd and Tomcat -- via AJP or HTTP Reverse Proxying -- and what
> Tomcat version that is. But, again, let's keep that until you have
> attributes showing up in the SP.)
> >         Attributes
> All we know so far is that the SP has no attributes available.
> That can have many reasons, maybe the IDP is not sending any or
> the SP is not configured to look for the ones the IDP is sending.
> If the IDP doesn't encrypt the SAML Response (or Assertion) you can
> see the SAML in the clear in your browser which is easiest using the
> SAML-Tracer extension for Firefox or Chromium/Chrome.
> If the Resopnse or Assertion is encrypted then ask the IDP what
> exactly they are sending.
> -peter
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list