IDP3/4 migration and attribute resolver configuration
spfma.tech at e.mail.fr
spfma.tech at e.mail.fr
Tue Oct 4 15:01:03 UTC 2022
Hi, Thanks for your answer. So I have edited my "services.xml" in order to enable the attribute registry, then I switched to the "attribute-resolver.xml" version without any transcoding configuration. It is now much better, I get SAML assertions according to the provided switch. Regards
Le 29-Sep-2022 17:13:21 +0200, users at shibboleth.net a crit:
* spf via users [2022-09-29 17:03]:
> Even if it's not easy to find recent configuration examples, I also found sources suggesting:
Some of those are just wrong ("mail" is not a proper attribute name;
attribute names should be URIs and MUST be URIs when the nameFormat
says they're URIs.)
And the differences not only depend on the version of the software
used but also what (more modern) features one may have migrated to
using, here specifically the (optional) Attribute Registry, which is
what allows to remove any Attribute Encoder elements from your
Attribute Definitions -- IFF your system is properly prepared for
that. Which yours won't be after upgrading from v3 -- which is fine.
> When I checked with "aacli", I get a different output from IDP3 and IDP4. IDP3_LEGACY: {
> "name": "mail",
> "values": [
> "StringAttributeValue{value=test.user at my.domain}" ]
> }, IDP_3.4.9 (with any of the last two syntaxes): {
> "name": "mail",
> "values": [
> "StringAttributeValue{value=test.user at my.domain}" ]
> }, IDP4 (with any of the last two syntaxes) : {
> "name": "mail",
> "values": [
> "test.user at my.domain"
> ]
> },
FWIW, if you only have to care about or are interested in the actual
SAML wire representation you'd use the aacli with the --saml2 option.
> Do I take a risk if I choose the less verbose syntax (without any
> AttributeEncoder)
You don't take that risk. Migrating to the new Attribute Registry is
something you can do later (if ever), once the software has been
upgraded and everything continues to work without any SPs noticing any
changes.
-peter
--
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------------------------------------------------------------------------------------------
FreeMail powered by mail.fr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221004/12973790/attachment.htm>
More information about the users
mailing list