<div dir="ltr"><div><font face="arial, sans-serif">Howdy all, Note: Please I'm using idp 2.x for reasons beyond my control .. please don't crucify me for that... I'm sure there are many other things to crucify me for :-)</font></div><div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif"> I'm attempting to setup SSO with the cloud service product "Beyond Trust" .... the metadata being generated from the SP side appears to require a persistent nameid as that's the only type listed in the metadata. I attempted to get it to work by just using the default attribute that are released to everyone. That caused a message similar to invalid NameId or NameID format not supported. That wasn't surprising. I don't think I have any other relying parties that require persistent name id. so I have never configured this before</font></div><div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif">So my problem is I have now configured an attribute "BeyondTrustUsername" in the attribute-resolver that uses the persistent nameid ... I get past the invalid nameid format message. But the attribute does not appear to be released. I have configured the "BeyondTrustUsername" attribute in the attribute-filter.xml to release to anyone. When starting shib I can see references to the Attribute definition being parsed in the idp-process log and no errors. But when I attempt to login to the application I don't see the attribute being released ...(at least not in SAML tracer) . To me appears that the attribute is available but not being released. The attribute I created was "BeyondTrustUsername"</font></div><div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif">Here's what I added to attribute-resolver.xml for it:</font></div><div>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font color="#000000" face="arial, sans-serif"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures">resolver</span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures">:</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">AttributeDefinition </span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures">id</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures">=</span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures">"</span><span class="gmail-s7" style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255,255,255)">Beyond</span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures">TrustUsername"</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"> </span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures">xsi</span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures">:</span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures">type</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures">=</span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures">"Simple"</span></font></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font color="#000000" face="arial, sans-serif"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span></span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures">xmlns</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures">=</span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures">"urn:mace:shibboleth:2.0:resolver:ad"</span></font></p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font color="#000000" face="arial, sans-serif"><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span></span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures">sourceAttributeID</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures">=</span><span class="gmail-s8" style="font-variant-ligatures:no-common-ligatures">"uid"</span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures">></span></font></p>
<p class="gmail-p3" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;min-height:13px"><font color="#000000" face="arial, sans-serif"><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures"></span><br></font></p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font color="#000000" face="arial, sans-serif"><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span></span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures"><</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures">resolver</span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures">:</span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures">Dependency </span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures">ref</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures">=</span><span class="gmail-s8" style="font-variant-ligatures:no-common-ligatures">"myLDAP"</span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures">/></span></font></p>
<p class="gmail-p3" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;min-height:13px"><font color="#000000" face="arial, sans-serif"><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures"></span><br></font></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font color="#000000" face="arial, sans-serif"><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span></span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures">resolver</span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures">:</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">AttributeEncoder </span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures">xsi</span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures">:</span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures">type</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures">=</span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures">"SAML2StringNameID"</span></font></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font color="#000000" face="arial, sans-serif"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span></span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures">xmlns</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures">=</span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures">"urn:mace:shibboleth:2.0:attribute:encoder"</span></font></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font color="#000000" face="arial, sans-serif"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span></span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures">nameFormat</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures">=</span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures">"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"> /></span></font></p>
<p class="gmail-p4" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font color="#000000" face="arial, sans-serif"><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures"></</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures">resolver</span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures">:</span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures">AttributeDefinition></span></font></p></div><div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif">The AttributeDefinition above appears to load OK .. </font></div><div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif">Here's what I added to the attribute-filer.xml in the release to anyone section:</font></div><div><font face="arial, sans-serif"><br></font></div><div>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font color="#000000" face="arial, sans-serif"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space" style=""> </span></span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"><</span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures">afp</span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures">:</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures">AttributeRule </span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures">attributeID</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">=</span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures">"</span><span class="gmail-s7" style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255,255,255)">Beyond</span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures"><span style="background-color:rgb(255,255,255)">T</span>rustUsername"</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures">></span></font></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font color="#000000" face="arial, sans-serif"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span></span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"><</span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures">afp</span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures">:</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures">PermitValueRule </span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures">xsi</span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures">:</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures">type</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">=</span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures">"basic:ANY"</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"> /></span></font></p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font color="#000000" face="arial, sans-serif"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span></span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"></</span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures">afp</span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures">:</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures">AttributeRule></span></font></p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font color="#000000" face="arial, sans-serif"><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"><br></span></font></p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font color="#000000" face="arial, sans-serif"><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures">The other attributes release OK ...(though the are not of the persistent nameid format)</span></font></p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font color="#000000" face="arial, sans-serif"><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"><br></span></font></p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font face="arial, sans-serif"><br></font></p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font face="arial, sans-serif">Here's what I get in my saml trace .... sorry for posting all of this but I want to make sure I have given enough information to be helpful.</font></p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font face="arial, sans-serif"><br></font></p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font face="arial, sans-serif"><span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2p:Response</span> <span class="gmail-hljs-attr">xmlns:saml2p</span>=<span class="gmail-hljs-string">"urn:oasis:names:tc:SAML:2.0:protocol"</span>
<span class="gmail-hljs-attr">Destination</span>=<span class="gmail-hljs-string">"<a href="https://pima.beyondtrustcloud.com/saml/sso">https://pima.beyondtrustcloud.com/saml/sso</a>"</span>
<span class="gmail-hljs-attr">ID</span>=<span class="gmail-hljs-string">"_351200422a172aea25cd30be76dbcddf"</span>
<span class="gmail-hljs-attr">InResponseTo</span>=<span class="gmail-hljs-string">"BG_f625d575141079be3df1d946780cf2b434b84194"</span>
<span class="gmail-hljs-attr">IssueInstant</span>=<span class="gmail-hljs-string">"2020-04-08T09:44:40.384Z"</span>
<span class="gmail-hljs-attr">Version</span>=<span class="gmail-hljs-string">"2.0"</span>
></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2:Issuer</span> <span class="gmail-hljs-attr">xmlns:saml2</span>=<span class="gmail-hljs-string">"urn:oasis:names:tc:SAML:2.0:assertion"</span>
<span class="gmail-hljs-attr">Format</span>=<span class="gmail-hljs-string">"urn:oasis:names:tc:SAML:2.0:nameid-format:entity"</span>
></span><a href="https://idp.pima.edu/idp/shibboleth">https://idp.pima.edu/idp/shibboleth</a><span class="gmail-hljs-tag"></<span class="gmail-hljs-name">saml2:Issuer</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2p:Status</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2p:StatusCode</span> <span class="gmail-hljs-attr">Value</span>=<span class="gmail-hljs-string">"urn:oasis:names:tc:SAML:2.0:status:Success"</span> /></span>
<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">saml2p:Status</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2:Assertion</span> <span class="gmail-hljs-attr">xmlns:saml2</span>=<span class="gmail-hljs-string">"urn:oasis:names:tc:SAML:2.0:assertion"</span>
<span class="gmail-hljs-attr">ID</span>=<span class="gmail-hljs-string">"_45cbaeda010b480dec5ae25542abfdca"</span>
<span class="gmail-hljs-attr">IssueInstant</span>=<span class="gmail-hljs-string">"2020-04-08T09:44:40.384Z"</span>
<span class="gmail-hljs-attr">Version</span>=<span class="gmail-hljs-string">"2.0"</span>
<span class="gmail-hljs-attr">xmlns:xs</span>=<span class="gmail-hljs-string">"<a href="http://www.w3.org/2001/XMLSchema">http://www.w3.org/2001/XMLSchema</a>"</span>
></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2:Issuer</span> <span class="gmail-hljs-attr">Format</span>=<span class="gmail-hljs-string">"urn:oasis:names:tc:SAML:2.0:nameid-format:entity"</span>></span><a href="https://idp.pima.edu/idp/shibboleth">https://idp.pima.edu/idp/shibboleth</a><span class="gmail-hljs-tag"></<span class="gmail-hljs-name">saml2:Issuer</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">ds:Signature</span> <span class="gmail-hljs-attr">xmlns:ds</span>=<span class="gmail-hljs-string">"<a href="http://www.w3.org/2000/09/xmldsig#">http://www.w3.org/2000/09/xmldsig#</a>"</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">ds:SignedInfo</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">ds:CanonicalizationMethod</span> <span class="gmail-hljs-attr">Algorithm</span>=<span class="gmail-hljs-string">"<a href="http://www.w3.org/2001/10/xml-exc-c14n#">http://www.w3.org/2001/10/xml-exc-c14n#</a>"</span> /></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">ds:SignatureMethod</span> <span class="gmail-hljs-attr">Algorithm</span>=<span class="gmail-hljs-string">"<a href="http://www.w3.org/2000/09/xmldsig#rsa-sha1">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a>"</span> /></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">ds:Reference</span> <span class="gmail-hljs-attr">URI</span>=<span class="gmail-hljs-string">"#_45cbaeda010b480dec5ae25542abfdca"</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">ds:Transforms</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">ds:Transform</span> <span class="gmail-hljs-attr">Algorithm</span>=<span class="gmail-hljs-string">"<a href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>"</span> /></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">ds:Transform</span> <span class="gmail-hljs-attr">Algorithm</span>=<span class="gmail-hljs-string">"<a href="http://www.w3.org/2001/10/xml-exc-c14n#">http://www.w3.org/2001/10/xml-exc-c14n#</a>"</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">ec:InclusiveNamespaces</span> <span class="gmail-hljs-attr">xmlns:ec</span>=<span class="gmail-hljs-string">"<a href="http://www.w3.org/2001/10/xml-exc-c14n#">http://www.w3.org/2001/10/xml-exc-c14n#</a>"</span>
<span class="gmail-hljs-attr">PrefixList</span>=<span class="gmail-hljs-string">"xs"</span>
/></span>
<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">ds:Transform</span>></span>
<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">ds:Transforms</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">ds:DigestMethod</span> <span class="gmail-hljs-attr">Algorithm</span>=<span class="gmail-hljs-string">"<a href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>"</span> /></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">ds:DigestValue</span>></span>zC3J771Z4myufNbeoZL3dqUfxu8=<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">ds:DigestValue</span>></span>
<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">ds:Reference</span>></span>
<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">ds:SignedInfo</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">ds:SignatureValue</span>></span>SCcJ6oB2KdDqMAivUtr8FZOd4QOvjt/jBm3U7kOkc36fpBsqWDZN3kjMlCFgvrpEgzJnUqP84sDgRHL3/8wlAObeY0niphMztfOibKaijMp5DzsKt01n0F8SAUgiCMCtMNyRDcUlAKA5rSEwz7Oom6KIhzaB51evaEr8Wx0Ig+UOhdzMN7VLSKWzoFqZUW76nEc+6lMDZ5teMMj00xcBaQewyR/Q/uAgOl+7gxcRpL5WnFaXYkx58sUtCS4PeFrznAlTHxTF2uHbdX72enst7hcerJPVM3q1J5/TP7FwrHaFLlINNGy4D0lQhyuqOxjRz/xQe2caCPyLMjek1H/9Kw==<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">ds:SignatureValue</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">ds:KeyInfo</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">ds:X509Data</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">ds:X509Certificate</span>></span>MIIDHDCCAgSgAwIBAgIVAI8RApJaLNJSvMXpCrnt7hb5JMR2MA0GCSqGSIb3DQEBBQUAMBcxFTAT
BgNVBAMTDGlkcC5waW1hLmVkdTAeFw0xMzEyMTExNjE3MTFaFw0zMzEyMTExNjE3MTFaMBcxFTAT
BgNVBAMTDGlkcC5waW1hLmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKaONUO2
QeOvi5wklyGNDnrsp1rWU3SxoRK1FKCd2SUJXJnmanY3udbCtjEO+VKrhGkc/c+9QOwWGA2n7t9U
5S/vvmJNCI1zu6q9Jnr7osAnPYwSZ8Ee36HK4epL47vyLjqBC1psspkyBgKwe6h+Dk7QZXXMeClq
6GuTDRCyEyr0uXgXxbZtvOHjMtNzSZHNPIgd8CTLhXS0K9+zS+67HRRueSfMpXNKtGhnxXlefCNZ
hJeUpMf58DxoGmqko6sy7n6Y2d7gdJUDuAO9Wu1ZDY1Ts4KPoyuFMHzFNyI+13RWDkDqPtDaxBNZ
JRaFPi1pPdW8zBYuQFXxBI5RiNyktbUCAwEAAaNfMF0wPAYDVR0RBDUwM4IMaWRwLnBpbWEuZWR1
hiNodHRwczovL2lkcC5waW1hLmVkdS9pZHAvc2hpYmJvbGV0aDAdBgNVHQ4EFgQU1NqJMb5Tjvls
997bnBJR/IFIke4wDQYJKoZIhvcNAQEFBQADggEBAAPJBOHUQ/toEICXbgm/6KOezWlpsj0wT9Pt
ZCV00w01+/PIp41j6ChZOi5aznKyje1mXJ7zhs9LsohEJG5M6+2aaOb4DDG2H/WZB/yr4LKwt5zm
wZkNEhDFpzYjlDAf8czEvAPFeO53kxILu42BEntqyEPqBH8L+8mifwcOiZTr1LUkjeG2iCrZ+4Ae
pJuq60mNjdDp78bOnQPTraPsrwysIBO+D0IU70zbJdlTTjqaDNcSc3EJTHGKT8FTBZ4AhAqFSC7Y
8szne3fNsoCZgy3JUCiYvFqkeZNXqRsWAfh40Tv6+3GYpfV3wLPnSTqH/35dNRD3MJebUFZzPCZd
c2E=<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">ds:X509Certificate</span>></span>
<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">ds:X509Data</span>></span>
<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">ds:KeyInfo</span>></span>
<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">ds:Signature</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2:Subject</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2:NameID</span> <span class="gmail-hljs-attr">Format</span>=<span class="gmail-hljs-string">"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"</span>
<span class="gmail-hljs-attr">NameQualifier</span>=<span class="gmail-hljs-string">"<a href="https://idp.pima.edu/idp/shibboleth">https://idp.pima.edu/idp/shibboleth</a>"</span>
<span class="gmail-hljs-attr">SPNameQualifier</span>=<span class="gmail-hljs-string">"<a href="https://pima.beyondtrustcloud.com">https://pima.beyondtrustcloud.com</a>"</span>
></span>trename01<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">saml2:NameID</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2:SubjectConfirmation</span> <span class="gmail-hljs-attr">Method</span>=<span class="gmail-hljs-string">"urn:oasis:names:tc:SAML:2.0:cm:bearer"</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2:SubjectConfirmationData</span> <span class="gmail-hljs-attr">Address</span>=<span class="gmail-hljs-string">"144.90.132.128"</span>
<span class="gmail-hljs-attr">InResponseTo</span>=<span class="gmail-hljs-string">"BG_f625d575141079be3df1d946780cf2b434b84194"</span>
<span class="gmail-hljs-attr">NotOnOrAfter</span>=<span class="gmail-hljs-string">"2020-04-08T09:49:40.384Z"</span>
<span class="gmail-hljs-attr">Recipient</span>=<span class="gmail-hljs-string">"<a href="https://pima.beyondtrustcloud.com/saml/sso">https://pima.beyondtrustcloud.com/saml/sso</a>"</span>
/></span>
<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">saml2:SubjectConfirmation</span>></span>
<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">saml2:Subject</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2:Conditions</span> <span class="gmail-hljs-attr">NotBefore</span>=<span class="gmail-hljs-string">"2020-04-08T09:44:40.384Z"</span>
<span class="gmail-hljs-attr">NotOnOrAfter</span>=<span class="gmail-hljs-string">"2020-04-08T09:49:40.384Z"</span>
></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2:AudienceRestriction</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2:Audience</span>></span><a href="https://pima.beyondtrustcloud.com">https://pima.beyondtrustcloud.com</a><span class="gmail-hljs-tag"></<span class="gmail-hljs-name">saml2:Audience</span>></span>
<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">saml2:AudienceRestriction</span>></span>
<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">saml2:Conditions</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2:AuthnStatement</span> <span class="gmail-hljs-attr">AuthnInstant</span>=<span class="gmail-hljs-string">"2020-04-08T09:44:40.208Z"</span>
<span class="gmail-hljs-attr">SessionIndex</span>=<span class="gmail-hljs-string">"_4e6aa2f2f8b87542705c10630fd9fb2c"</span>
></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2:SubjectLocality</span> <span class="gmail-hljs-attr">Address</span>=<span class="gmail-hljs-string">"144.90.132.128"</span> /></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2:AuthnContext</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2:AuthnContextClassRef</span>></span>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">saml2:AuthnContextClassRef</span>></span>
<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">saml2:AuthnContext</span>></span>
<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">saml2:AuthnStatement</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2:AttributeStatement</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2:Attribute</span> <span class="gmail-hljs-attr">FriendlyName</span>=<span class="gmail-hljs-string">"uid"</span>
<span class="gmail-hljs-attr">Name</span>=<span class="gmail-hljs-string">"urn:oid:0.9.2342.19200300.100.1.1"</span>
<span class="gmail-hljs-attr">NameFormat</span>=<span class="gmail-hljs-string">"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"</span>
></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2:AttributeValue</span> <span class="gmail-hljs-attr">xmlns:xsi</span>=<span class="gmail-hljs-string">"<a href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>"</span>
<span class="gmail-hljs-attr">xsi:type</span>=<span class="gmail-hljs-string">"xs:string"</span>
></span>trename01<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">saml2:AttributeValue</span>></span>
<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">saml2:Attribute</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2:Attribute</span> <span class="gmail-hljs-attr">FriendlyName</span>=<span class="gmail-hljs-string">"eduPersonPrincipalName"</span>
<span class="gmail-hljs-attr">Name</span>=<span class="gmail-hljs-string">"urn:oid:1.3.6.1.4.1.5923.1.1.1.6"</span>
<span class="gmail-hljs-attr">NameFormat</span>=<span class="gmail-hljs-string">"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"</span>
></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2:AttributeValue</span> <span class="gmail-hljs-attr">xmlns:xsi</span>=<span class="gmail-hljs-string">"<a href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>"</span>
<span class="gmail-hljs-attr">xsi:type</span>=<span class="gmail-hljs-string">"xs:string"</span>
></span><a href="mailto:trename01@pima.edu">trename01@pima.edu</a><span class="gmail-hljs-tag"></<span class="gmail-hljs-name">saml2:AttributeValue</span>></span>
<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">saml2:Attribute</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2:Attribute</span> <span class="gmail-hljs-attr">FriendlyName</span>=<span class="gmail-hljs-string">"sn"</span>
<span class="gmail-hljs-attr">Name</span>=<span class="gmail-hljs-string">"urn:oid:2.5.4.4"</span>
<span class="gmail-hljs-attr">NameFormat</span>=<span class="gmail-hljs-string">"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"</span>
></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2:AttributeValue</span> <span class="gmail-hljs-attr">xmlns:xsi</span>=<span class="gmail-hljs-string">"<a href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>"</span>
<span class="gmail-hljs-attr">xsi:type</span>=<span class="gmail-hljs-string">"xs:string"</span>
></span>rename01<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">saml2:AttributeValue</span>></span>
<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">saml2:Attribute</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2:Attribute</span> <span class="gmail-hljs-attr">FriendlyName</span>=<span class="gmail-hljs-string">"givenName"</span>
<span class="gmail-hljs-attr">Name</span>=<span class="gmail-hljs-string">"urn:oid:2.5.4.42"</span>
<span class="gmail-hljs-attr">NameFormat</span>=<span class="gmail-hljs-string">"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"</span>
></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2:AttributeValue</span> <span class="gmail-hljs-attr">xmlns:xsi</span>=<span class="gmail-hljs-string">"<a href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>"</span>
<span class="gmail-hljs-attr">xsi:type</span>=<span class="gmail-hljs-string">"xs:string"</span>
></span>Testing<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">saml2:AttributeValue</span>></span>
<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">saml2:Attribute</span>></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2:Attribute</span> <span class="gmail-hljs-attr">FriendlyName</span>=<span class="gmail-hljs-string">"mail"</span>
<span class="gmail-hljs-attr">Name</span>=<span class="gmail-hljs-string">"urn:oid:0.9.2342.19200300.100.1.3"</span>
<span class="gmail-hljs-attr">NameFormat</span>=<span class="gmail-hljs-string">"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"</span>
></span>
<span class="gmail-hljs-tag"><<span class="gmail-hljs-name">saml2:AttributeValue</span> <span class="gmail-hljs-attr">xmlns:xsi</span>=<span class="gmail-hljs-string">"<a href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>"</span>
<span class="gmail-hljs-attr">xsi:type</span>=<span class="gmail-hljs-string">"xs:string"</span>
></span><a href="mailto:trename01@pima.edu">trename01@pima.edu</a><span class="gmail-hljs-tag"></<span class="gmail-hljs-name">saml2:AttributeValue</span>></span>
<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">saml2:Attribute</span>></span>
<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">saml2:AttributeStatement</span>></span>
<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">saml2:Assertion</span>></span>
<span class="gmail-hljs-tag"></<span class="gmail-hljs-name">saml2p:Response</span>></span><br></font></p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font face="arial, sans-serif"><br></font></p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font face="arial, sans-serif"><br></font></p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font face="arial, sans-serif">If you have any ideas as to what I'm missing please let me know ... I have also tried to release the "BeyondTrustUsername" attribute directly by adding this the attribute-filter.xml</font></p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font face="arial, sans-serif"><br></font></p><p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-stretch:normal;line-height:normal"><font color="#000000" style="background-color:rgb(255,255,255)" face="arial, sans-serif"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><!-- add for </span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures">Beyond</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">Trust --></span></font></p><p class="gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-stretch:normal;line-height:normal"><font color="#000000" style="background-color:rgb(255,255,255)" face="arial, sans-serif"><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span></span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><</span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures">afp</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures">:</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">AttributeFilterPolicy></span></font></p><p class="gmail-p3" style="margin:0px;font-style:normal;font-variant:normal;font-stretch:normal;line-height:normal"><font color="#000000" style="background-color:rgb(255,255,255)" face="arial, sans-serif"><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span></span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures"><</span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures">afp</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures">:</span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures">PolicyRequirementRule </span><span class="gmail-s7" style="font-variant-ligatures:no-common-ligatures">xsi</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures">:</span><span class="gmail-s7" style="font-variant-ligatures:no-common-ligatures">type</span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures">=</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">"basic:AttributeRequesterString"</span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures"> </span><span class="gmail-s7" style="font-variant-ligatures:no-common-ligatures">value</span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures">=</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">"<a href="https://pima.beyondtrustcloud.com">https://pima.beyondtrustcloud.com</a>"</span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures"> /></span></font></p><p class="gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-stretch:normal;line-height:normal"><font color="#000000" style="background-color:rgb(255,255,255)" face="arial, sans-serif"><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span></span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><</span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures">afp</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures">:</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">AttributeRule </span><span class="gmail-s7" style="font-variant-ligatures:no-common-ligatures">attributeID</span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures">=</span><span class="gmail-s8" style="font-variant-ligatures:no-common-ligatures">"</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures">Beyond</span><span class="gmail-s8" style="font-variant-ligatures:no-common-ligatures">TrustUsername"</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">></span></font></p><p class="gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-stretch:normal;line-height:normal"><font color="#000000" style="background-color:rgb(255,255,255)" face="arial, sans-serif"><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span></span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><</span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures">afp</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures">:</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">PermitValueRule </span><span class="gmail-s7" style="font-variant-ligatures:no-common-ligatures">xsi</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures">:</span><span class="gmail-s7" style="font-variant-ligatures:no-common-ligatures">type</span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures">=</span><span class="gmail-s8" style="font-variant-ligatures:no-common-ligatures">"basic:ANY"</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"> /></span></font></p><p class="gmail-p4" style="margin:0px;font-style:normal;font-variant:normal;font-stretch:normal;line-height:normal"><font color="#000000" style="background-color:rgb(255,255,255)" face="arial, sans-serif"><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span></span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></</span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures">afp</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures">:</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">AttributeRule></span></font></p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal">
</p><p class="gmail-p4" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font color="#000000" style="background-color:rgb(255,255,255)" face="arial, sans-serif"><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span></span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></</span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures">afp</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures">:</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">AttributeFilterPolicy></span></font></p><p class="gmail-p4" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font color="#000000" style="background-color:rgb(255,255,255)" face="arial, sans-serif"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><br></span></font></p><p class="gmail-p4" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font color="#000000" style="background-color:rgb(255,255,255)" face="arial, sans-serif"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><br></span></font></p><p class="gmail-p4" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font color="#000000" style="background-color:rgb(255,255,255)" face="arial, sans-serif"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">I hope what I have tried to explain makes sense. Thanks ahead of time for your input</span></font></p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo"><br></p></div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><div><br></div><div><br></div><div><br></div><div>Brad Mathis</div><div>IT Systems Architect </div><div>Infrastructure Services - Applications<br></div><div>Pima Community College<br></div><div>520.206.4826<br></div><div><a href="mailto:bmathis@pima.edu" target="_blank">bmathis@pima.edu</a></div></div><div><br></div><div><img src="https://drive.google.com/a/pima.edu/uc?id=1-cXzKNARwUoDuBUcqPuKHQtqN6T9Kc-K&export=download" width="200" height="147"><br></div><div><br></div><div><br></div><div><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>