Unsure why an Attribute is not being released?
Kanuch, Andrew
Andy.Kanuch at sdstate.edu
Fri Nov 2 12:52:57 EDT 2012
I've tried adding the attribute using a simple basic:ANY rule, and it releases fine, so I'm sure now that it isn't an account permissions issue in AD, it's in how I've configured my attribute filter file.
I've stripped away everything but the rule AttributeRequesterString rule--and I've taken the format of that straight from the wiki (https://wiki.shibboleth.net/confluence/display/SHIB2/IdPFilterRequirementAttributeRequesterString ) it throws the error below. Regardless of how I try to use AttributeRequesterString it throws the same error. Do I need to include something additional different in my schema in order to use the Attribute Request Rule? I've set
Error Reads:
11:30:29.100 - ERROR [edu.internet2.middleware.shibboleth.common.config.BaseService:188] - Configuration was not loaded for shibboleth.AttributeFilterEngine service, error creating components. The root cause of this error was: org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content was found starting with element 'PolicyRequirementRule'. One of '{"urn:mace:shibboleth:2.0:afp":PolicyRequirementRule, "urn:mace:shibboleth:2.0:afp":PolicyRequirementRuleReference}' is expected.
My Filter Policy Group is:
<afp:AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
xmlns:afp="urn:mace:shibboleth:2.0:afp" xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:afp classpath:/schema/shibboleth-2.0-afp.xsd
urn:mace:shibboleth:2.0:afp:mf:basic classpath:/schema/shibboleth-2.0-afp-mf-basic.xsd
urn:mace:shibboleth:2.0:afp:mf:saml classpath:/schema/shibboleth-2.0-afp-mf-saml.xsd">
<afp:AttributeFilterPolicy id="releaseToSpExampleOrg">
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://service1.internet2.edu/test"/>
<AttributeRule attributeID="givenName">
<!-- Permit value rule that releases any value. -->
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</afp:AttributeFilterPolicy>
</afp:AttributeFilterPolicyGroup>
I also have a related question. The wiki states that you may have multiple policy files. It also states each AttributeFilterPolicy may have only one policy rule. Is there a limit to how many AttributeFilterPolicy's you can have in an AttributeFilterPolicyGroup? And is there a limit to how may AttributeFilterPolicyGroups you may have in a single file?
Thanks!
-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Christopher Bongaarts
Sent: Thursday, November 01, 2012 12:25 PM
To: users at shibboleth.net
Subject: Re: Unsure why an Attribute is not being released?
On 11/1/2012 12:17 PM, Kanuch, Andrew wrote:
> Hello,
>
> I recently setup our first IDP, and I'm attempting release a specific
> attribute from AD, but it does not appear to be working. The IDP is
> working, and authenticates successfully, it just doesn't release the
> specified attributes. Could you please tell me if I'm missing a step
> somewhere?
Check your IdP's audit log entry for the authentication. One of the fields contains which attributes were released. Looks like you should see some sort of persistent ID in the list already. If you don't see givenName in the list, since your attribute-filter excerpt looks correct, I'd verify that your DataConnector is correctly configured and has sufficient privileges to retrieve the givenName attribute from your LDAP directory. If you turn up the AttributeResolver logging to DEBUG, you should be able to see whether Shib was able to retrieve the value of that attribute.
--
%% Christopher A. Bongaarts %% cab at umn.edu %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list