IDP3/4 migration and attribute resolver configuration
spfma.tech at e.mail.fr
spfma.tech at e.mail.fr
Thu Sep 29 15:03:11 UTC 2022
Hi, I am in charge of replacing our almost ten years old IDP, and I am a bit lost on some points (neither a Shibboleth expert nor having up-to-date Java skills anymore). I am using a multistage Docker build, so I can experiment at will. As recommended in updating instructions, I installed IDP3.4.9 over a clone of our running instance, then tried to remove all warnings and install the latest IDP4 over it. Right now, I have a running IDP4 but I have doubts about attributes resolution configuration. On the legacy instance, attributes were defined this way :
This syntax was not compliant with 3.4.9 (lots of warnings about NameSpaces) and after trials and errors, I came to :
Even if it's not easy to find recent configuration examples, I also found sources suggesting :
or
When I checked with "aacli", I get a different output from IDP3 and IDP4. IDP3_LEGACY: {
"name": "mail",
"values": [
"StringAttributeValue{value=test.user at my.domain}" ]
}, IDP_3.4.9 (with any of the last two syntaxes): {
"name": "mail",
"values": [
"StringAttributeValue{value=test.user at my.domain}" ]
}, IDP4 (with any of the last two syntaxes) : {
"name": "mail",
"values": [
"test.user at my.domain"
]
}, Is it an expected result ? Do I take a risk if I choose the less verbose syntax (without any AttributeEncoder) or are there differences I can't see with "aacli" ? Regards
-------------------------------------------------------------------------------------------------
FreeMail powered by mail.fr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220929/d1be5fe1/attachment.htm>
More information about the users
mailing list