Azure AD Connector from IDP v4.1 - canonicalization failure

Ullfig, Roberto Alfredo rullfig at
Tue Aug 30 18:49:26 UTC 2022

We just want a user identifier from Azure. Here is relevant code:

    <AttributeDefinition xsi:type="SubjectDerivedAttribute"
        principalAttributeName="azureName" />

    <DataConnector id="passthroughAttributes" xsi:type="Subject"
        exportAttributes="azureName" />

    <AttributeFilterPolicy id="FilterPolicyObject-Proxy-FromAzure-byIssuer-Type">
        <PolicyRequirementRule xsi:type="Issuer" value="" />
        <AttributeRule attributeID="azureName">
            <PermitValueRule xsi:type="ScopeMatchesShibMDScope" />

    <bean parent="shibboleth.TranscodingRuleLoader">
        <bean parent="shibboleth.TranscodingProperties">
            <property name="properties">
                <props merge="true">
                    <prop key="id">azureName</prop>
                    <prop key="transcoder">SAML2ScopedStringTranscoder</prop>
                    <prop key=""></prop>
                    <prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified</prop>
                    <prop key="displayName.en">Name</prop>
                    <prop key="description.en">Azure UPN of an account expected to be scoped thus transcoded that way</prop>

    <util:list id="shibboleth.c14n.attribute.AttributesToResolve">
    <util:list id="shibboleth.c14n.attribute.AttributeSourceIds">

        <bean id="c14n/attribute" parent="shibboleth.PostLoginSubjectCanonicalizationFlow" />

Roberto Ullfig - rullfig at
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
From: users <users-bounces at> on behalf of Cantor, Scott via users <users at>
Sent: Tuesday, August 30, 2022 1:35 PM
To: Shib Users <users at>
Cc: Cantor, Scott <cantor.2 at>
Subject: Re: Azure AD Connector from IDP v4.1 - canonicalization failure

More to the point, what is the actual goal here?

If you're trying to just pass through a value from Azure, you're on 4.1 so you don't need to be running the resolver. The attribute-sourced method has properties in 4.1 that just directly pull in a decoded IdPAttribute from the IdP, and can disable running the resolver at all. Much less confguration.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list