Attribute filter warnings in the IdP log since installing the OIDC extension
Wessel, Keith
kwessel at illinois.edu
Tue Sep 10 10:47:08 EDT 2019
Thanks, Rod and Scott. This does appear to be a bug where the OIDC extension is returning the wrong result to the attribute filter when there's no OIDC context (as in a SAML authn request).
Here's my attribute filter configuration for requested claims: note that it's the same six attributes that we make available upon request that are resulting in warnings in the log.
<AttributeFilterPolicy id="REQUESTED_CLAIMS">
<PolicyRequirementRule xsi:type="NOT">
<Rule xsi:type="Value"
attributeID="uiucEduSuppress" value="y"/>
</PolicyRequirementRule>
<AttributeRule attributeID="eduPersonPrincipalName_idtoken">
<PermitValueRule xsi:type="oidcext:AttributeInOIDCRequestedClaims" matchOnlyIDToken="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="oidcext:AttributeInOIDCRequestedClaims" matchOnlyUserInfo="true" />
</AttributeRule>
<AttributeRule attributeID="mail_idtoken">
<PermitValueRule xsi:type="oidcext:AttributeInOIDCRequestedClaims" matchOnlyIDToken="true" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="oidcext:AttributeInOIDCRequestedClaims" matchOnlyUserInfo="true" />
</AttributeRule>
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="oidcext:AttributeInOIDCRequestedClaims" matchOnlyUserInfo="true"
onlyIfEssential="true" />
</AttributeRule>
<AttributeRule attributeID="uiucEduUIN">
<PermitValueRule xsi:type="oidcext:AttributeInOIDCRequestedClaims" matchOnlyUserInfo="true"
onlyIfEssential="true" />
</AttributeRule>
</AttributeFilterPolicy>
And here's the logging with debug-level for the OIDC extension:
2019-09-10 09:41:24,672 - DEBUG [org.geant.idpextension.oidc.attribute.filter.matcher.impl.AttributeInOIDCRequestedClaimsMatcher:217] - Attribute Filter '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/PermitValueRule:_f423933d01364a86fee9030c9a9223c5': No oidc response ctx for this comparison - [session=node01r2o0pmvr1fhw3kr8kq3nmehj2886927] [ip=10.193.180.110]
2019-09-10 09:41:24,673 - WARN [net.shibboleth.idp.attribute.filter.AttributeRule:175] - Attribute filtering engine '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/AttributeRule:_a8436ff76d59fc08ffc62c19ce95242b' Filter failed. No values released for attribute 'eduPersonPrincipalName_idtoken' - [session=node01r2o0pmvr1fhw3kr8kq3nmehj2886927] [ip=10.193.180.110]
2019-09-10 09:41:24,673 - DEBUG [org.geant.idpextension.oidc.attribute.filter.matcher.impl.AttributeInOIDCRequestedClaimsMatcher:217] - Attribute Filter '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/PermitValueRule:_9a6c5285f097b5496cfeb47eba7cb2bc': No oidc response ctx for this comparison - [session=node01r2o0pmvr1fhw3kr8kq3nmehj2886927] [ip=10.193.180.110]
2019-09-10 09:41:24,674 - WARN [net.shibboleth.idp.attribute.filter.AttributeRule:175] - Attribute filtering engine '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/AttributeRule:_66afb9215ba36b469355e32309727f00' Filter failed. No values released for attribute 'eduPersonPrincipalName' - [session=node01r2o0pmvr1fhw3kr8kq3nmehj2886927] [ip=10.193.180.110]
2019-09-10 09:41:24,674 - DEBUG [org.geant.idpextension.oidc.attribute.filter.matcher.impl.AttributeInOIDCRequestedClaimsMatcher:217] - Attribute Filter '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/PermitValueRule:_955c0cac6c5c4d3f00c3b4aae69d62e5': No oidc response ctx for this comparison - [session=node01r2o0pmvr1fhw3kr8kq3nmehj2886927] [ip=10.193.180.110]
2019-09-10 09:41:24,674 - WARN [net.shibboleth.idp.attribute.filter.AttributeRule:175] - Attribute filtering engine '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/AttributeRule:_17f1d704c022cc94cde11527df3429d3' Filter failed. No values released for attribute 'mail_idtoken' - [session=node01r2o0pmvr1fhw3kr8kq3nmehj2886927] [ip=10.193.180.110]
2019-09-10 09:41:24,675 - DEBUG [org.geant.idpextension.oidc.attribute.filter.matcher.impl.AttributeInOIDCRequestedClaimsMatcher:217] - Attribute Filter '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/PermitValueRule:_1c9b13f1e02b2ee294de7cb030715951': No oidc response ctx for this comparison - [session=node01r2o0pmvr1fhw3kr8kq3nmehj2886927] [ip=10.193.180.110]
2019-09-10 09:41:24,675 - WARN [net.shibboleth.idp.attribute.filter.AttributeRule:175] - Attribute filtering engine '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/AttributeRule:_4f9f598f0eece126b166df6796ce12ba' Filter failed. No values released for attribute 'mail' - [session=node01r2o0pmvr1fhw3kr8kq3nmehj2886927] [ip=10.193.180.110]
2019-09-10 09:41:24,676 - DEBUG [org.geant.idpextension.oidc.attribute.filter.matcher.impl.AttributeInOIDCRequestedClaimsMatcher:217] - Attribute Filter '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/PermitValueRule:_b41e28e83b6fea0d361850c5a2c88669': No oidc response ctx for this comparison - [session=node01r2o0pmvr1fhw3kr8kq3nmehj2886927] [ip=10.193.180.110]
2019-09-10 09:41:24,676 - WARN [net.shibboleth.idp.attribute.filter.AttributeRule:175] - Attribute filtering engine '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/AttributeRule:_32d4054afba1b959bd7f6d935e2d8f28' Filter failed. No values released for attribute 'displayName' - [session=node01r2o0pmvr1fhw3kr8kq3nmehj2886927] [ip=10.193.180.110]
2019-09-10 09:41:24,676 - DEBUG [org.geant.idpextension.oidc.attribute.filter.matcher.impl.AttributeInOIDCRequestedClaimsMatcher:217] - Attribute Filter '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/PermitValueRule:_92f078eef9938e48a61cb0abe792236e': No oidc response ctx for this comparison - [session=node01r2o0pmvr1fhw3kr8kq3nmehj2886927] [ip=10.193.180.110]
2019-09-10 09:41:24,677 - WARN [net.shibboleth.idp.attribute.filter.AttributeRule:175] - Attribute filtering engine '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/AttributeRule:_e479519b2c1894ad2db825a8145c3a7f' Filter failed. No values released for attribute 'uiucEduUIN' - [session=node01r2o0pmvr1fhw3kr8kq3nmehj2886927] [ip=10.193.180.110]
Geant folks, is this a known issue that will be corrected in 1.1.X? Or do I need to file a bug? Or is there something I should be doing differently with my configuration?
Keith
-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Rod Widdowson
Sent: Tuesday, September 10, 2019 5:03 AM
To: 'Shib Users' <users at shibboleth.net>
Subject: RE: Attribute filter warnings in the IdP log since installing the OIDC extension
> For nearly every authentication since adding the OIDC extension to our IdP, we see the following warnings in our IdP log.
To confirm what Scott said, these warnings *do* matter.
The situation is very distinct from a filter returning no values: they indicate that a failure occurred during attribute filtering
and as a result the entire filter failed safe to "no release" (if it was a deny filter is would fail safe to "deny all").
You/we need to find out why the failure occurred, not least because the source of the failure should also be logging, This lack of
previous warning at least requires a bug fix.
It would be useful to see what a log at debug of "net.shibboleth.idp.filter" says.
Thanks
Rod
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list