Azure AD Connector from IDP v4.1 - canonicalization failure

Tue Aug 30 20:51:34 UTC 2022

That's not literally referring to the subject of the assertion.

It mentions the attributes. That means the attributes coming in from the assertion being sent from the upstream IdP and being mapped into IdP attributes because they're defined in the IdP's attribute registry.

If all that's set up, then as Scott said, you don't need anything in your attribute resolver or attribute filter configuration.

Keith

From: users <users-bounces at shibboleth.net> On Behalf Of Ullfig, Roberto Alfredo via users
Sent: Tuesday, August 30, 2022 3:31 PM
To: Cantor, Scott <cantor.2 at osu.edu>; Shib Users <users at shibboleth.net>
Cc: Ullfig, Roberto A (UIC) <rullfig at uic.edu>
Subject: Re: Azure AD Connector from IDP v4.1 - canonicalization failure

Not understanding this line in those docs:

"By pulling an IdPAttribute directly from an IdPAttributePrincipal in the input Subject (as mentioned above, this is normally useful when proxying authentication to another IdP)"

The Subject doesn't contain an attribute - it contains a NameID.

---
Roberto Ullfig - rullfig at uic.edu<mailto:rullfig at uic.edu>
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: Cantor, Scott <cantor.2 at osu.edu<mailto:cantor.2 at osu.edu>>
Sent: Tuesday, August 30, 2022 1:56 PM
To: Ullfig, Roberto Alfredo <rullfig at uic.edu<mailto:rullfig at uic.edu>>; Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: Re: Azure AD Connector from IDP v4.1 - canonicalization failure

>    We just want a user identifier from Azure.

Then most of that is totally unnecessary, start over, and look at the attribute-sourced c14n docs and properties. No need for anything in the resolver whatsoever.

https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fspaces%2FIDP4%2Fpages%2F1265631602%2FAttributePostLoginC14NConfiguration&data=05%7C01%7Crullfig%40uic.edu%7C7ad13fcccff349016ff908da8abb94ee%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637974835523191233%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=GtiE2pJfuvqdpHF1H92hIk13qu9s8W%2BEMTAuaiKnxfI%3D&reserved=0<https://urldefense.com/v3/__https:/nam04.safelinks.protection.outlook.com/?url=https*3A*2F*2Fshibboleth.atlassian.net*2Fwiki*2Fspaces*2FIDP4*2Fpages*2F1265631602*2FAttributePostLoginC14NConfiguration&data=05*7C01*7Crullfig*40uic.edu*7C7ad13fcccff349016ff908da8abb94ee*7Ce202cd477a564baa99e3e3b71a7c77dd*7C0*7C0*7C637974835523191233*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000*7C*7C*7C&sdata=GtiE2pJfuvqdpHF1H92hIk13qu9s8W*2BEMTAuaiKnxfI*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSU!!DZ3fjg!98Gr4XMLn44Q7Q5ANSKgXarLp5It2ylwidofklmSI36fuiZjP3TIYshYDx0y26CWDRq-wt3kfjQqGe-DGVYP$>

idp.c14n.attribute.resolveFromSubject = true
idp.c14n.attribute.resolutionCondition = shibboleth.Conditions.FALSE
idp.c14n.attribute.attributeSourceIds = whateverId

Should be all that's needed other than making sure the input data is getting decoded by the registry.

-- Scott

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220830/730a73aa/attachment.htm>