Get assertion attributes in my Spring boot application

Ana Sustic ana at
Wed Sep 15 10:53:48 UTC 2021

Hi All
Thanks again for your help Peter. I was able to get the Shibboleth
attributes in my controller. After all the path was wrong (it should have
read /view and not /attributes/view since my app was deployed to
Best wishes

On Wed, Sep 15, 2021 at 10:32 AM Ana Sustic <ana at> wrote:

> Hi Peter
> Thanks so much for your detailed answer.
> You were correct in saying something was not correct between the SP and
> IDP.  That is working correctly now and in this is what
> /Shibboleth.sso/Session returns after I authenticate:
> *Miscellaneous**Session Expiration (barring inactivity):* 479 minute(s)*Client Address:**SSO Protocol:* urn:oasis:names:tc:SAML:2.0:protocol*Identity Provider:* https://hostname/idp/shibboleth*Authentication Time:* 2021-09-15T07:14:11.975Z*Authentication Context Class:* urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport*Authentication Context Decl:* (none)
> *Attributes**affiliation*: 1 value(s)*eduPersonUniqueId*: 1 value(s)*givenName*: 1 value(s)*homeOrganization*: 1 value(s)*homeOrganizationType*: 1 value(s)*mail*: 1 value(s)*persistent-id*: 1 value(s)*scoped-affiliation*: 1 value(s)*surname*: 1 value(s)
> I am using Apache Tomcat/7.0.76 and HTTP Reverse Proxying. I am not sure
> what you mean when you say "looping over all attributes may not work". I
> apologise  if this was already asked on the mailing list. I am new to the
> list.
> When I now access the protected resource and authenticate to the IdP I get
> the response from the ErrorController as if the mapping for my resource
> would not exist.
> @Controller
> public class AppErrorController implements ErrorController{
>     private final static String PATH = "/error";
>     @Override
>     @RequestMapping(PATH)
>     @ResponseBody
>     public String getErrorPath() {
>         // TODO Auto-generated method stub
>         return "No Mapping Found";
>     }
> }
> Thanks and best regards
> Ana
> On Tue, Sep 14, 2021 at 9:09 PM Peter Schober <peter.schober at>
> wrote:
>> * Ana Sustic <ana at> [2021-09-14 20:28]:
>> > I have a spring boot application running on Apache Tomcat/7.0.76.
>> > Shibboleth SP is running on Apache server. The resource
>> > /attributes/view is secured using shibboleth.
>> Then first verify that the Apache httpd (and IDP) side of things are
>> working as expected.
>> Your /Shibboleth.sso/Session not showing any attributes is not a good
>> sign and simply means you can't expect anything after that, i.e.,
>> Tomcat, to show any attributes.
>> > I have no previous experience with Shibboleth secured resources and
>> > would like to get the attributes in my application.
>> The Shib SP write its ownlog files so that's where you'd look next.
>> transaction.log has successfully mapped attributes (probably none
>> at this point), shibd.log has everything else.
>> > This is my controller:
>> The Java doesn't factor into this, yet.
>> (And looping over all attributes may not work, either, as discussed
>> numerous times on this list. That's meant for later, once you have
>> your web server and/or the IDP configured correctly and the Shib SP is
>> showing attributes.
>> Also for later is that you didn't mention how you integrated Apache
>> httpd and Tomcat -- via AJP or HTTP Reverse Proxying -- and what
>> Tomcat version that is. But, again, let's keep that until you have
>> attributes showing up in the SP.)
>> >         Attributes
>> All we know so far is that the SP has no attributes available.
>> That can have many reasons, maybe the IDP is not sending any or
>> the SP is not configured to look for the ones the IDP is sending.
>> If the IDP doesn't encrypt the SAML Response (or Assertion) you can
>> see the SAML in the clear in your browser which is easiest using the
>> SAML-Tracer extension for Firefox or Chromium/Chrome.
>> If the Resopnse or Assertion is encrypted then ask the IDP what
>> exactly they are sending.
>> -peter
>> --
>> For Consortium Member technical support, see
>> To unsubscribe from this list send an email to
>> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list