Cunfigure eduPersonTargetedID shibboleth Idp windows 3.4
Peter Schober
peter.schober at univie.ac.at
Fri Sep 24 12:08:43 UTC 2021
* Aisha Al Fudhaili <aisha at omren.om> [2021-09-24 11:08]:
> The dataconnecter is working now without any error, but the
> Pairwise-ID has no value ☹.
>From the aacli output you posted we can't determine that, yet (that
samlPairwiseID "has not value"): We only know that it's not being
released yet.
So you could take the next step and configure the attribute filter (in
order to get the attribute released) *or* you could first increase the
logging for the attribute resolver (to make sure samlPairwiseID indeed
has a value) and only once you're satisfied that the resolver works as
expected move on to configuring the attribute filter.
Since you'll have to do the latter (configure attribute filter) anyway
I'd suggest to assume the resolver is now working fine and configure
the filter for the release of samlPairwiseID.
(If that failes to work you can still go back to checking the resolver
and/or filter using the IDP's log files.)
For releasing the samlPairwiseID attribute you have multiple options, e.g.:
1. Add a rule only for the singular SP you want to use it with right now.
This is the least useful method since you'd have to repeat those
steps for every SP that needs samlPairwiseID, which is why I'm not
providing an example for this. (But it's possible and it's easy.)
2. Add a rule that releases samlPairwiseID to any SP known via
metadata that requests it (in the proper way).
That's what the default attribute filter for IDPv4 includes these
days (deviating from the long-established practice that a Shibboleth
IDP does not release /any/ attributes by default) and you could
simply copy/paste those rules into your own filter config:
https://git.shibboleth.net/view/?p=java-identity-provider.git;a=blob;f=idp-conf/src/main/resources/conf/attribute-filter.xml;h=7787d0c532cc7d5a4f3130580d39daa18fd019af;hb=HEAD#l51
I.e., copy lines 51-77 from that file into your filter and reload
the attribute filter configuration.
(Whether those lines will work in your IDP without any changes
depends on your attribute filter configuration, esp. with regards
to XML namespaces. Let's assume it'll work and you can always come
back with more error messages.)
The specific rules from alternative 2 may be more complex than needed
in your case (since AFAIK you're not supporting samlSubjectID yet) but
copy/pasting them them is easier than trying to create a simplified
version thereof that only releases samlPairwiseID.
Also, and more importantly, using these rules you'll have your IDP
prepared if/once you add support for samlSubjectID.
Best,
-peter
More information about the users
mailing list