Not attributes statement. can't attempt attribute query, either no NameID or no metadata to use

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Not attributes statement. can't attempt attribute query, either no NameID or no metadata to use

sunilsharma
Hi List:

I am trying to install and configure Shibboleth 2.4 IDP, I am testing it with testshib.
I am able to authenticate successfully but not getting any user's attributes. When i checked with shibd.log i am seeing below warning

WARN Shibboleth.AttributeResolver.Query [468]: can't attempt attribute query, either no NameID or no metadata to use

Attached full shibd.log
testshib.log
I have following in my attribute-resolver.xml
        <resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="sAMAccountName">
                <resolver:Dependency ref="myLDAP" />
                <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" name="urn:oid:0.9.2342.19200300.100.1.1" />
                <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:metadata" />
        </resolver:AttributeDefinition>

And have following lines in my attribute-filter.xml
    <afp:AttributeFilterPolicy id="releaseTransientIdToAnyone">
        <afp:PolicyRequirementRule xsi:type="basic:ANY"/>
        <afp:AttributeRule attributeID="uid">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
    </afp:AttributeFilterPolicy>

However i can see in idp-process.log
05:05:51.039 - INFO [Shibboleth-Audit:1028] - 20140603T120551Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_2c0ebeca828c4a14c324cce01ca2a6b8484e4ac480|coho_126|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://coho-dev128.cisco.com/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_59c69a6515554296888d08cf8dab2948|anisinha|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport||||

Is is necessary to register with federation to get attributes released.

Also I checked with below command to see what attributes are released but got No attribute statement
[bin]# ./aacli.sh --principal=anisinha --configDir=../conf/ --requester=https://sp.testshib.org/shibboleth-sp --saml1
No attribute statement.

Any idea, what's missing?

Thanks,
Sunil Sharmatestshib.log