Retrieve NameID

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

Retrieve NameID

George Glessner

Hi All,

 

This may be a simple question but I can’t figure out how to obtain the NameID (username) provided on authentication. Is there a request I can call to obtain this information?

 

Thanks,

 

George


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Retrieve NameID

Rod Widdowson
> This may be a simple question but I can’t figure out how to
> obtain the NameID (username) provided on authentication.

Nit, the NameID isn't the username unless you make it so

> Is there a
> request I can call to obtain this information?

When? where?  In the logs? From the logged i9n Browser?  On the SP? From  a management console?

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Retrieve NameID

George Glessner
The NameID is set as the username from our IDP. I am able to access it on our php side with simpleSAMLphp with get_object_vars($this->session->getAuthData('saml:sp:NameID'))['value'] since it is passed over. I would like to be able to do something similar with Shibboleth if possible so I can set a variable to be equal to the result.

Thank you

-----Original Message-----
From: users <[hidden email]> On Behalf Of Rod Widdowson
Sent: Friday, June 29, 2018 9:34 AM
To: 'Shib Users' <[hidden email]>
Subject: RE: Retrieve NameID

> This may be a simple question but I can't figure out how to obtain the
> NameID (username) provided on authentication.

Nit, the NameID isn't the username unless you make it so

> Is there a
> request I can call to obtain this information?

When? where?  In the logs? From the logged i9n Browser?  On the SP? From  a management console?

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Retrieve NameID

Rod Widdowson
> The NameID is set as the username from our IDP. I am able to access it on our php side with simpleSAMLphp with
get_object_vars($this-
> >session->getAuthData('saml:sp:NameID'))['value'] since it is passed over. I would like to be able to do something similar with
Shibboleth
> if possible so I can set a variable to be equal to the result.

Shibboleth SP -> it’s the same as SSP
Shibboleth IdP -> In a view?  Check out [1]
                -> At other times (like in attribute resolution or filtering) - it in the documentation


[1] https://wiki.shibboleth.net/confluence/display/IDP30/VelocityVariables

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Retrieve NameID

Peter Schober
In reply to this post by George Glessner
* George Glessner <[hidden email]> [2018-06-29 15:40]:
> The NameID is set as the username from our IDP. I am able to access
> it on our php side with simpleSAMLphp with
> get_object_vars($this->session->getAuthData('saml:sp:NameID'))['value']
> since it is passed over. I would like to be able to do something
> similar with Shibboleth if possible so I can set a variable to be
> equal to the result.

NameIDs are treated like Attributes in the Shib SP, so you'd need map
the desired format in your attribute-map.xml

https://wiki.shibboleth.net/confluence/display/SHIB2/Configuration
Middle column: "Native Service Provider (SP)"
-> "Use a New Attribute"
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAddAttribute

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Retrieve NameID

George Glessner
In reply to this post by Rod Widdowson
In my attribute-map.xml there is

    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
    </Attribute>

Does this not build a HTTP header? I am just looking for a way to obtain the value for persistent-id. I have checked https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAddAttribute and https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeAccess  to make sure I am attempting to do the right process but when I call Request.servervariables("HTTP_persistent-id") I get nothing.

Thank you

-----Original Message-----
From: users <[hidden email]> On Behalf Of Rod Widdowson
Sent: Friday, June 29, 2018 9:45 AM
To: 'Shib Users' <[hidden email]>
Subject: RE: Retrieve NameID

> The NameID is set as the username from our IDP. I am able to access it on our php side with simpleSAMLphp with
get_object_vars($this-
> >session->getAuthData('saml:sp:NameID'))['value'] since it is passed over. I would like to be able to do something similar with
Shibboleth
> if possible so I can set a variable to be equal to the result.

Shibboleth SP -> it's the same as SSP
Shibboleth IdP -> In a view?  Check out [1]
                -> At other times (like in attribute resolution or filtering) - it in the documentation


[1] https://wiki.shibboleth.net/confluence/display/IDP30/VelocityVariables

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Retrieve NameID

Peter Schober
* George Glessner <[hidden email]> [2018-06-29 16:18]:
> In my attribute-map.xml there is
>
>     <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
>         <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
>     </Attribute>
>
> Does this not build a HTTP header?

No. Not unless you force the software to do so:
By default attributes are exposed as environment variables, not as
HTTP Request Headers, at least on Apache httpd.
The documentation explains why. (TL;DR: Because security.)

> Request.servervariables("HTTP_persistent-id")

What kind of API is that?

Also check whether underscores and dashes are not molested/normalized
on the conversion to HTTP Request Headers in some way, so the name may
not be exactly that.

As Scott already told you in another thread recently:

* Cantor, Scott <[hidden email]> [2018-06-28 22:06]:
> On IIS the safeHeaderNames option will collapse the punctuation in
> the header names, the wiki discusses that. Don't know that that's
> your issue, but it's possible.
>
> Dump your headers with a loop and you'll know what's there or not.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Retrieve NameID

George Glessner
I am using classic ASP. I did dump all headers and that is not there.  In https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeAccess under "Request Headers" it states "On IIS and Sun/iPlanet, the request header mechanism is the only one supported... On these platforms, the SP is forced to substitute the use of custom HTTP request headers." So does that mean I can only use the custom headers provided for me?

Thank you


-----Original Message-----
From: users <[hidden email]> On Behalf Of Peter Schober
Sent: Friday, June 29, 2018 10:25 AM
To: [hidden email]
Subject: Re: Retrieve NameID

* George Glessner <[hidden email]> [2018-06-29 16:18]:
> In my attribute-map.xml there is
>
>     <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
>         <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
>     </Attribute>
>
> Does this not build a HTTP header?

No. Not unless you force the software to do so:
By default attributes are exposed as environment variables, not as HTTP Request Headers, at least on Apache httpd.
The documentation explains why. (TL;DR: Because security.)

> Request.servervariables("HTTP_persistent-id")

What kind of API is that?

Also check whether underscores and dashes are not molested/normalized on the conversion to HTTP Request Headers in some way, so the name may not be exactly that.

As Scott already told you in another thread recently:

* Cantor, Scott <[hidden email]> [2018-06-28 22:06]:
> On IIS the safeHeaderNames option will collapse the punctuation in the
> header names, the wiki discusses that. Don't know that that's your
> issue, but it's possible.
>
> Dump your headers with a loop and you'll know what's there or not.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Retrieve NameID

George Glessner
In reply to this post by Peter Schober
Looking at what is getting sent over I noticed:

        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                NameQualifier="[Metadata URL]">gglessner</saml:NameID>


So I changed my attribute-map to account for unspecified but still don't think I will be able to access it because of Classic ASP and IIS. We tried placing an attribute of e-mail, but that attribute doesn't show up on the Session page.

This is what is getting sent over for attribute:

<saml:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">[hidden email]</saml:AttributeValue>
            </saml:Attribute>

Is there anything I need to update to account for this new attribute?



-----Original Message-----
From: users <[hidden email]> On Behalf Of Peter Schober
Sent: Friday, June 29, 2018 10:25 AM
To: [hidden email]
Subject: Re: Retrieve NameID

* George Glessner <[hidden email]> [2018-06-29 16:18]:
> In my attribute-map.xml there is
>
>     <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
>         <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
>     </Attribute>
>
> Does this not build a HTTP header?

No. Not unless you force the software to do so:
By default attributes are exposed as environment variables, not as HTTP Request Headers, at least on Apache httpd.
The documentation explains why. (TL;DR: Because security.)

> Request.servervariables("HTTP_persistent-id")

What kind of API is that?

Also check whether underscores and dashes are not molested/normalized on the conversion to HTTP Request Headers in some way, so the name may not be exactly that.

As Scott already told you in another thread recently:

* Cantor, Scott <[hidden email]> [2018-06-28 22:06]:
> On IIS the safeHeaderNames option will collapse the punctuation in the
> header names, the wiki discusses that. Don't know that that's your
> issue, but it's possible.
>
> Dump your headers with a loop and you'll know what's there or not.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Retrieve NameID

Peter Schober
* George Glessner <[hidden email]> [2018-06-29 17:22]:
> Looking at what is getting sent over I noticed:
>
> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
>                 NameQualifier="[Metadata URL]">gglessner</saml:NameID>

So the rules for persistent will never match.

 

> So I changed my attribute-map to account for unspecified but still
> don't think I will be able to access it because of Classic ASP and
> IIS. We tried placing an attribute of e-mail, but that attribute
> doesn't show up on the Session page.
>
> This is what is getting sent over for attribute:
>
> <saml:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
>                 <saml:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">[hidden email]</saml:AttributeValue>
>             </saml:Attribute>
>
> Is there anything I need to update to account for this new attribute?

Yes. You already quoted the URL but it looks like you'll need to read
it again (there's no shame to that, I frequently learn new things when
looking at docs again, even stuff I've thouroughly read earlier):
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAddAttribute

From the above the formal attribute name is "Email", so you'll have to
have a rule for that specific name in your attribute-map.xml.
You may also have to add the "basic" nameFormat, docs are here:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeExtractor#NativeSPAttributeExtractor-ChildElements.1

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Retrieve NameID

George Glessner
Hi Peter,

Thanks for all of your help, sorry I am very new to this!

I added the following to my attribute-map:

<Attribute name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Email"/>
         <AttributeDecoder xsi:type="xsd:string"/>
    </Attribute>

Still am not seeing the attribute. I also tried:

Attribute name="Email" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Email"/>
         <AttributeDecoder xsi:type="xsd:string"/>
    </Attribute>

To no avail.


-----Original Message-----
From: users <[hidden email]> On Behalf Of Peter Schober
Sent: Friday, June 29, 2018 11:43 AM
To: [hidden email]
Subject: Re: Retrieve NameID

* George Glessner <[hidden email]> [2018-06-29 17:22]:
> Looking at what is getting sent over I noticed:
>
> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
>                 NameQualifier="[Metadata URL]">gglessner</saml:NameID>

So the rules for persistent will never match.

 

> So I changed my attribute-map to account for unspecified but still
> don't think I will be able to access it because of Classic ASP and
> IIS. We tried placing an attribute of e-mail, but that attribute
> doesn't show up on the Session page.
>
> This is what is getting sent over for attribute:
>
> <saml:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
>                 <saml:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">[hidden email]</saml:AttributeValue>
>             </saml:Attribute>
>
> Is there anything I need to update to account for this new attribute?

Yes. You already quoted the URL but it looks like you'll need to read it again (there's no shame to that, I frequently learn new things when looking at docs again, even stuff I've thouroughly read earlier):
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAddAttribute

From the above the formal attribute name is "Email", so you'll have to have a rule for that specific name in your attribute-map.xml.
You may also have to add the "basic" nameFormat, docs are here:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeExtractor#NativeSPAttributeExtractor-ChildElements.1

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Retrieve NameID

Peter Schober
* George Glessner <[hidden email]> [2018-06-29 17:48]:

> I added the following to my attribute-map:
>
> <Attribute name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Email"/>
>          <AttributeDecoder xsi:type="xsd:string"/>
>     </Attribute>
>
> Still am not seeing the attribute. I also tried:
>
> Attribute name="Email" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Email"/>
>          <AttributeDecoder xsi:type="xsd:string"/>
>     </Attribute>
>
> To no avail.

Order of XML attributes don't matter, so the above are equivalent.
Also you can drop the Decoder, see the example in the docs called
"Example of a Simple String-valued Attribute with nameFormat".

Either should work and be equivalient to:
<Attribute name="Email" id="mail" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>

so if you're saying you're "not seeing the attribute" we're probably
back to you not looking properly.

1. What does shibd.log say when recieving the attribute?
2. What does transaction.log day when reciecing the attribute?

Forget ASP, passing data on to downstream components is something to
look at once you're sure the SP software has processed the data
correctly.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Retrieve NameID

Boyd, Todd M.
In reply to this post by George Glessner
To my knowledge, Shibboleth SP on IIS will not set REMOTE_USER. I built an IIS module that will handle this, but out of the box, it doesn't work. If you'd like, I can supply you with the source code for the module (or just a DLL) with the stipulation that I do not provide technical support.


-Todd


-----Original Message-----
From: users <[hidden email]> On Behalf Of George Glessner
Sent: Friday, June 29, 2018 9:39 AM
To: Shib Users <[hidden email]>
Subject: RE: Retrieve NameID

I am using classic ASP. I did dump all headers and that is not there.  In https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeAccess under "Request Headers" it states "On IIS and Sun/iPlanet, the request header mechanism is the only one supported... On these platforms, the SP is forced to substitute the use of custom HTTP request headers." So does that mean I can only use the custom headers provided for me?

Thank you


-----Original Message-----
From: users <[hidden email]> On Behalf Of Peter Schober
Sent: Friday, June 29, 2018 10:25 AM
To: [hidden email]
Subject: Re: Retrieve NameID

* George Glessner <[hidden email]> [2018-06-29 16:18]:
> In my attribute-map.xml there is
>
>     <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
>         <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
>     </Attribute>
>
> Does this not build a HTTP header?

No. Not unless you force the software to do so:
By default attributes are exposed as environment variables, not as HTTP Request Headers, at least on Apache httpd.
The documentation explains why. (TL;DR: Because security.)

> Request.servervariables("HTTP_persistent-id")

What kind of API is that?

Also check whether underscores and dashes are not molested/normalized on the conversion to HTTP Request Headers in some way, so the name may not be exactly that.

As Scott already told you in another thread recently:

* Cantor, Scott <[hidden email]> [2018-06-28 22:06]:
> On IIS the safeHeaderNames option will collapse the punctuation in the
> header names, the wiki discusses that. Don't know that that's your
> issue, but it's possible.
>
> Dump your headers with a loop and you'll know what's there or not.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Retrieve NameID

Rod Widdowson
To slightly thread-hijack

> To my knowledge, Shibboleth SP on IIS will not set REMOTE_USER.

Correct in V2.  In V3 there will be a new plugin which only works on IIS >= 7 which does this.


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Retrieve NameID

George Glessner
In reply to this post by Peter Schober
Peter,

Looking at shibd I notice:

2018-06-29 11:56:28 INFO Shibboleth.AttributeExtractor.XML [68]: skipping unmapped SAML 2.0 Attribute with Name: Email, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic

It is strange because it is being sent over as SAML 2 but in the metadata provided by IDP there is this:

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

which I do not know if that correlates to this e-mail attribute or not but I tried replacing the nameformat with the above and still could not get it to show up. I saw this post https://serverfault.com/questions/790521/skipping-unmapped-saml-2-0-attribute-even-though-name-and-nameformat-matchf which states that Shibboleth can't mix SAML 1 and 2 so I am not sure if that is my issue or not.

-----Original Message-----
From: users <[hidden email]> On Behalf Of Peter Schober
Sent: Friday, June 29, 2018 11:53 AM
To: [hidden email]
Subject: Re: Retrieve NameID

* George Glessner <[hidden email]> [2018-06-29 17:48]:

> I added the following to my attribute-map:
>
> <Attribute name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Email"/>
>          <AttributeDecoder xsi:type="xsd:string"/>
>     </Attribute>
>
> Still am not seeing the attribute. I also tried:
>
> Attribute name="Email" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Email"/>
>          <AttributeDecoder xsi:type="xsd:string"/>
>     </Attribute>
>
> To no avail.

Order of XML attributes don't matter, so the above are equivalent.
Also you can drop the Decoder, see the example in the docs called "Example of a Simple String-valued Attribute with nameFormat".

Either should work and be equivalient to:
<Attribute name="Email" id="mail" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>

so if you're saying you're "not seeing the attribute" we're probably back to you not looking properly.

1. What does shibd.log say when recieving the attribute?
2. What does transaction.log day when reciecing the attribute?

Forget ASP, passing data on to downstream components is something to look at once you're sure the SP software has processed the data correctly.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Retrieve NameID

Peter Schober
* George Glessner <[hidden email]> [2018-06-29 18:09]:
> 2018-06-29 11:56:28 INFO Shibboleth.AttributeExtractor.XML [68]:
> skipping unmapped SAML 2.0 Attribute with Name: Email,
> Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic

Then you have not mapped an attribute with those exact two properties.
You probably have not restarted shibd after changing the map and/or
not set the map to auto-reload.

> It is strange because it is being sent over as SAML 2 but in the
> metadata provided by IDP there is this:

Metadata doesn't factor into this.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Retrieve NameID

George Glessner
That was it.. didn't restart shibboleth, just IIS. Thank you so much!

-----Original Message-----
From: users <[hidden email]> On Behalf Of Peter Schober
Sent: Friday, June 29, 2018 12:37 PM
To: [hidden email]
Subject: Re: Retrieve NameID

* George Glessner <[hidden email]> [2018-06-29 18:09]:
> 2018-06-29 11:56:28 INFO Shibboleth.AttributeExtractor.XML [68]:
> skipping unmapped SAML 2.0 Attribute with Name: Email,
> Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic

Then you have not mapped an attribute with those exact two properties.
You probably have not restarted shibd after changing the map and/or not set the map to auto-reload.

> It is strange because it is being sent over as SAML 2 but in the
> metadata provided by IDP there is this:

Metadata doesn't factor into this.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]