eduPersonTargetedID and transcoder rules
kwessel at illinois.edu
Tue Apr 5 22:40:56 UTC 2022
Nope, still doesn't work, but here's another clue.
Attributes are being released by <RequestedAttributes> elements in metadata and an attribute filter policy that releases any requested attributes from metadata to any SP in this particular group. With decoder = false, I get no attribute released. Without decoder = false, I do.
If I manually release eptid to a specific SP in attribute-filter.xml, though, I get the attribute released even when decoder = false
Not knowing the code, this seems totally weird and messed up. But I suspect you might have a theory what the connectionmight be... I hope.
From the metadata for this SP:
<RequestedAttribute FriendlyName="eduPersonTargetedID" Name="urn:oid:188.8.131.52.4.1.59184.108.40.206.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
From the attribute filter policy that's using that:
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false" />
If I add a new attribute filter policy for the specific SP, though, it releases it.
Happy to turn up logging if you can guide me to which class to turn it up for.
From: Cantor, Scott <cantor.2 at osu.edu>
Sent: Tuesday, April 5, 2022 5:06 PM
To: Shib Users <users at shibboleth.net>
Cc: Wessel, Keith <kwessel at illinois.edu>
Subject: Re: eduPersonTargetedID and transcoder rules
On 4/5/22, 5:49 PM, "users on behalf of Wessel, Keith via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:
> With decoder = false, it doesn't show up for either the default json output or the saml2 output of aacli.
Checked again, I'm not seeing that. Shows up in both for me. You probably need to dig into the logs, something must be going wrong with it, but it's nothing obvious.
More information about the users