Cunfigure eduPersonTargetedID shibboleth Idp windows 3.4

Peter Schober peter.schober at
Fri Sep 24 12:08:43 UTC 2021

* Aisha Al Fudhaili <aisha at> [2021-09-24 11:08]:
> The dataconnecter is working now without any error, but the
> Pairwise-ID has no value ☹.

>From the aacli output you posted we can't determine that, yet (that
samlPairwiseID "has not value"): We only know that it's not being
released yet.

So you could take the next step and configure the attribute filter (in
order to get the attribute released) *or* you could first increase the
logging for the attribute resolver (to make sure samlPairwiseID indeed
has a value) and only once you're satisfied that the resolver works as
expected move on to configuring the attribute filter.

Since you'll have to do the latter (configure attribute filter) anyway
I'd suggest to assume the resolver is now working fine and configure
the filter for the release of samlPairwiseID.
(If that failes to work you can still go back to checking the resolver
and/or filter using the IDP's log files.)

For releasing the samlPairwiseID attribute you have multiple options, e.g.:

1. Add a rule only for the singular SP you want to use it with right now.
   This is the least useful method since you'd have to repeat those
   steps for every SP that needs samlPairwiseID, which is why I'm not
   providing an example for this. (But it's possible and it's easy.)

2. Add a rule that releases samlPairwiseID to any SP known via
   metadata that requests it (in the proper way).
   That's what the default attribute filter for IDPv4 includes these
   days (deviating from the long-established practice that a Shibboleth
   IDP does not release /any/ attributes by default) and you could
   simply copy/paste those rules into your own filter config:;a=blob;f=idp-conf/src/main/resources/conf/attribute-filter.xml;h=7787d0c532cc7d5a4f3130580d39daa18fd019af;hb=HEAD#l51
   I.e., copy lines 51-77 from that file into your filter and reload
   the attribute filter configuration.
   (Whether those lines will work in your IDP without any changes
   depends on your attribute filter configuration, esp. with regards
   to XML namespaces. Let's assume it'll work and you can always come
   back with more error messages.)

The specific rules from alternative 2 may be more complex than needed
in your case (since AFAIK you're not supporting samlSubjectID yet) but
copy/pasting them them is easier than trying to create a simplified
version thereof that only releases samlPairwiseID.
Also, and more importantly, using these rules you'll have your IDP
prepared if/once you add support for samlSubjectID.


More information about the users mailing list