Sent Attributes

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Sent Attributes

Robert Lamothe
Hello,

    I'm working with an SP that's authenticating against my test IDP.  We've swapped metadata and that seems to work, I can connect to their SP, it redirects to my IDP, I authenticate and get a page that identifies the attributes that are being sent and yet the SP claims there are no attributes being delivered.

   I've tested against shibtest.org and everything looks good there, I've also had other SPs work against this IDP.

    I'm now in a "Your IDP isn't sending attributes" vs "Yes it is, the 'Information Being Provided to Service' page shows what's being sent" discussion.  How to I prove it beyond that?

Thanks
-Bob
--
Bob Lamothe
[hidden email]
KB1BOB
603-918-6336


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Sent Attributes

Rod Widdowson
>     I'm now in a "Your IDP isn't sending attributes" vs "Yes it is, the 'Information Being Provided to Service' page shows
> what's being sent" discussion.  How to I prove it beyond that?

By way of an experiment: you could consider turning off encryption for the SP in question and capturing the trace in a SAML tracer (I use the one in FireFox).  Then you have a trace "See there they are".

You'd need to be pushing attributes of course, but I take that as read.

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Sent Attributes

Steven Teixeira
In reply to this post by Robert Lamothe

Assuming there’s nothing you don’t want to send via plaintext to them, a copy of the exact SAML response usually works for me.

 

Steven Teixeira

 

From: users [mailto:[hidden email]] On Behalf Of Robert Lamothe
Sent: Tuesday, May 29, 2018 08:59
To: Shib Users <[hidden email]>
Subject: Sent Attributes

 

Hello,

 

    I'm working with an SP that's authenticating against my test IDP.  We've swapped metadata and that seems to work, I can connect to their SP, it redirects to my IDP, I authenticate and get a page that identifies the attributes that are being sent and yet the SP claims there are no attributes being delivered.

 

   I've tested against shibtest.org and everything looks good there, I've also had other SPs work against this IDP.



    I'm now in a "Your IDP isn't sending attributes" vs "Yes it is, the 'Information Being Provided to Service' page shows what's being sent" discussion.  How to I prove it beyond that?



Thanks

-Bob

--
Bob Lamothe
[hidden email]
KB1BOB
603-918-6336


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Sent Attributes

Cameron Kerr
Turn on the protocol debugging and you’ll get the entire SAMLResponse and and SAMLRequest, which is the most helpful thing to see in my experience.

The issue may well be that the attributes are not being mapped at the other end. Providing the protocol message gives the most clarity as to what needs to be mapped.

Knowing the SP implementation really helps. 

Sent from my iPhone

On 30/05/2018, at 4:06 AM, Steven Teixeira <[hidden email]> wrote:

Assuming there’s nothing you don’t want to send via plaintext to them, a copy of the exact SAML response usually works for me.

 

Steven Teixeira

 

From: users [[hidden email]] On Behalf Of Robert Lamothe
Sent: Tuesday, May 29, 2018 08:59
To: Shib Users <[hidden email]>
Subject: Sent Attributes

 

Hello,

 

    I'm working with an SP that's authenticating against my test IDP.  We've swapped metadata and that seems to work, I can connect to their SP, it redirects to my IDP, I authenticate and get a page that identifies the attributes that are being sent and yet the SP claims there are no attributes being delivered.

 

   I've tested against shibtest.org and everything looks good there, I've also had other SPs work against this IDP.



    I'm now in a "Your IDP isn't sending attributes" vs "Yes it is, the 'Information Being Provided to Service' page shows what's being sent" discussion.  How to I prove it beyond that?



Thanks

-Bob

--
Bob Lamothe
[hidden email]
KB1BOB
603-918-6336

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]