
<html>


<head>


<meta http-equiv="Content-Type" content="text/html; charset=utf-8">


</head>


<body>


<div>On Thu, 2018-09-06 at 13:45 -0400, Ryan Suarez wrote:</div>


<blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex">


<blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex">


<div>    <resolver:AttributeDefinition xsi:type="ad:Mapped" id="eduPersonScopedAffiliation" sourceAttributeID="myAttribute"></div>


<div>        <resolver:Dependency ref="ldap" /></div>


<div>        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" /></div>


<div>        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" /></div>


<div>        <ad:ValueMap></div>


<div>           <ad:ReturnValue><a href="mailto:student@mydomain.ca">student@mydomain.ca</a></ad:ReturnValue></div>


<div>           <ad:SourceValue>students</ad:SourceValue></div>


<div>        </ad:ValueMap></div>


<div>    </resolver:AttributeDefinition></div>


<div><br>


</div>


<div>I can see the mapped attribute when testing from the IdP with this command "aacli.sh --configDir /opt/shibboleth-idp/conf --principal=someUser --requester


<a href="https://sp.somedomain.ca">https://sp.somedomain.ca</a>". However, I cannot see the mapped attribute in the SAML assertion to the SP when inspecting with the SAML tracer tool for firefox.</div>


<div><br>


</div>


<div>Why is the mapped attribute not part of the assertion if it shows up with aacli?</div>


</blockquote>


<div><br>


</div>


<div>I turned on debug logging and this is the error:</div>


<div><br>


</div>


<div>[net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:187] - Profile Action AddAttributeStatementToAssertion: Encoding attribute eduPersonScopedAffiliation as a SAML 2 Attribute</div>


<div>[net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder:154] - Beginning to encode attribute eduPersonScopedAffiliation</div>


<div>[net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder:173] - Skipping value of attribute eduPersonScopedAffiliation; Type net.shibboleth.idp.attribute.StringAttributeValue cannot be encoded by this encoder.</div>


<div>[net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder:173] - Skipping value of attribute eduPersonScopedAffiliation; Type net.shibboleth.idp.attribute.StringAttributeValue cannot be encoded by this encoder.</div>


<div>[net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:193] - Profile Action AddAttributeStatementToAssertion: Unable to encode attribute eduPersonScopedAffiliation as SAML 2 attribute</div>


<div>net.shibboleth.idp.attribute.AttributeEncodingException: Attribute eduPersonScopedAffiliation did not contain any encodeable values</div>


<div>        at net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder.encode(AbstractSAMLAttributeEncoder.java:188)</div>


<div>[net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:203] - Profile Action AddAttributeStatementToAssertion: Attribute eduPersonScopedAffiliation did not have a usable SAML 2 Attribute encoder associated with it, nothing to do</div>


</blockquote>


<div><br>


</div>


<div>Ok, I changed the Attribute Encoder to enc:SAML2String and it worked. Nothing to see here folks:</div>


<div><br>


</div>


<div>    <resolver:AttributeDefinition xsi:type="ad:Mapped" id="eduPersonScopedAffiliation" sourceAttributeID="ou"></div>


<div>        <resolver:Dependency ref="ldap" /></div>


<div>        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" /></div>


<div>        <ad:ValueMap></div>


<div>           <ad:ReturnValue><a href="mailto:student@sheridancollege.ca">student@mydomain.ca</a></ad:ReturnValue></div>


<div>           <ad:SourceValue>students</ad:SourceValue></div>


<div>        </ad:ValueMap></div>


<div>        <ad:ValueMap></div>


<div>           <ad:ReturnValue><a href="mailto:staff@sheridancollege.ca">staff@mydomain.ca</a></ad:ReturnValue></div>


<div>           <ad:SourceValue>staff</ad:SourceValue></div>


<div>        </ad:ValueMap></div>


<div>    </resolver:AttributeDefinition></div>


<div></div>


<div><br>


</div>


<blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex">


<div><br>


</div>


</blockquote>


</body>


</html>