Azure AD Connector from IDP v4.1 - canonicalization failure
Ullfig, Roberto Alfredo
rullfig at uic.edu
Tue Aug 30 20:31:19 UTC 2022
Not understanding this line in those docs:
"By pulling an IdPAttribute directly from an IdPAttributePrincipal in the input Subject (as mentioned above, this is normally useful when proxying authentication to another IdP)"
The Subject doesn't contain an attribute - it contains a NameID.
---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: Cantor, Scott <cantor.2 at osu.edu>
Sent: Tuesday, August 30, 2022 1:56 PM
To: Ullfig, Roberto Alfredo <rullfig at uic.edu>; Shib Users <users at shibboleth.net>
Subject: Re: Azure AD Connector from IDP v4.1 - canonicalization failure
> We just want a user identifier from Azure.
Then most of that is totally unnecessary, start over, and look at the attribute-sourced c14n docs and properties. No need for anything in the resolver whatsoever.
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fspaces%2FIDP4%2Fpages%2F1265631602%2FAttributePostLoginC14NConfiguration&data=05%7C01%7Crullfig%40uic.edu%7C7ad13fcccff349016ff908da8abb94ee%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637974835523191233%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=GtiE2pJfuvqdpHF1H92hIk13qu9s8W%2BEMTAuaiKnxfI%3D&reserved=0
idp.c14n.attribute.resolveFromSubject = true
idp.c14n.attribute.resolutionCondition = shibboleth.Conditions.FALSE
idp.c14n.attribute.attributeSourceIds = whateverId
Should be all that's needed other than making sure the input data is getting decoded by the registry.
-- Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220830/ae482897/attachment.htm>
More information about the users
mailing list