Shibboleth Issue - Attribute-filter.xml
Byron Sayres
bsayres at rcc.mass.edu
Fri Apr 8 11:49:42 EDT 2016
Thanks for the replies! Please look at the new files and let me know if this configuration looks correct. Obviously, I need to pass mail, givenName, sn, and sAMAccountName. Sorry, if this is repetitive…I appreciate the help on this.
attribute-resolver.xml
<resolver:AttributeDefinition id="mail" xsi:type="ad:Scoped" scope="%{idp.scope}" sourceAttributeID="mail">
<resolver:Dependency ref="bhccldap" />
<resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:mail" />
<resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="givenName" xsi:type="ad:Scoped" scope="%{idp.scope}" sourceAttributeID="givenName">
<resolver:Dependency ref="bhccldap" />
<resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:givenName" />
<resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:2.5.4.42" friendlyName="givenName" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="sn" xsi:type="ad:Scoped" scope="%{idp.scope}" sourceAttributeID="sn">
<resolver:Dependency ref="bhccldap" />
<resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:sn" />
<resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:2.5.4.4" friendlyName="sn" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition xsi:type="ad:Simple" id="sAMAccountName" sourceAttributeID="sAMAccountName" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
<resolver:Dependency ref="bhccldap" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:sAMAccountName" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.2.840.113556.1.4.221" friendlyName="sAMAccountName" />
</resolver:AttributeDefinition>
attribute-filter.xml
<afp:AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
xmlns:afp="urn:mace:shibboleth:2.0:afp" xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:afp classpath:/schema/shibboleth-2.0-afp.xsd
urn:mace:shibboleth:2.0:afp:mf:basic classpath:/schema/shibboleth-2.0-afp-mf-basic.xsd
urn:mace:shibboleth:2.0:afp:mf:saml classpath:/schema/shibboleth-2.0-afp-mf-saml.xsd">
<!-- Release mail, givenName,sn, and sAMaccountName -->
<afp:AttributeFilterPolicy id="releaseToAnyone">
<afp:PolicyRequirementRule xsi:type="basic:ANY"/>
<afp:AttributeRule attributeID="mail">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="givenName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="sn">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="sAMAccountName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
</afp:AttributeFilterPolicyGroup>
On 4/7/16, 12:31 PM, "users on behalf of Peter Schober" <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net> on behalf of peter.schober at univie.ac.at<mailto:peter.schober at univie.ac.at>> wrote:
* Byron Sayres <bsayres at rcc.mass.edu<mailto:bsayres at rcc.mass.edu>> [2016-04-07 17:48]:
they have only asserted one attribute (named
"urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
(a.k.a. "eduPersonScopedAffiliation"). They are not releasing any
of the attributes they have requested us to map. My first guess
would be there is an error in their attribute release policy.
First thing would be looking at your IDP logs (idp-audit.log) to find
out what atributes you actually released to that SP.
(I'm assuming that will only show eduPersonScopedAffiliation below.)
The requested values to map are
x-r25-first-name = urn:oid:2.5.4.42
x-r25-family-name = urn:oid:2.5.4.4
x-r25-email-work = urn:oid:0.9.2342.19200300.100.1.3
x-r25-user = urn:oid:1.3.6.1.4.1.5923.1.1.1.6
OK, givenName, sn, mail, ePPN.
But you don't release half of them in the config snipped you sent:
Here is my attribute-filter.xml
attribute-filter.xml
<afp:AttributeRule attributeID="mail">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="givenName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="sn">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="sAMAccountName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonScopedAffiliation">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
You release sAMAccountName instead of ePPN (which is only the source
attribute you populate ePPN from, so probably a copy/paste error from
your resolver configuration) and Nate already pointed out that "sn" !=
"surename".
(The attributeID values must match the id values from your resolver.)
If it's correct that the SP only recieves eduPersonScopedAffiliation
I'd also suggest that the above probably isn't active at all (reason
would be an incorrect PolicyRequirementRule, as implied above) and
that you release eduPersonScopedAffiliation to the SP from some other
overarching rule. (Possibly one that releases
eduPersonScopedAffiliation to anyone, or some such.)
We can't help with the PolicyRequirementRule as (a) you don't include
it, and (b) even if you did we don't know the correct name of the SP,
but that's where I'd look -- after making sure you know what you
actually released.
-peter
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160408/72984766/attachment.html>
More information about the users
mailing list