I am having an issue with Adobe SSO where my IdP doesn't release the attributes to them unless I use xsi:type="ANY". The AttributeFilterPolicy in question works flawlessly with bin/aacli.sh using the requester value from the policy. So, my guess is that I am using an incorrect requester value in my policy.
Is there a way that I can get the requester value for attribute-filter.xml from the IdP or is it easier to log a call with Adobe?
I very nearly tried that early in testing but read in the integration guide section of the Shibboleth wiki that "The Adobe service is provided via a SAML IdP/SP Proxy (Okta), it is the Okta SP that you are integrating with". The Adobe SSO docs and the integration guide both use a requester value in the form of "https://www.okta.com/saml2/service-provider/xxxxxxxxxxxxxxxxxxxx". I should have stuck to my original plan.
Three beers for Rod(next time you are in Salford, UK).
Network & IT Systems Support
Bolton Sixth Form College
T: 01204 846215
E: [hidden email] W: www.bolton-sfc.ac.uk
Save Paper. Please consider the environment before printing.
From: users <[hidden email]> On Behalf Of Rod Widdowson
Sent: 12 February 2020 11:43
To: 'Shib Users' <[hidden email]>
Subject: RE: AttributeFilterPolicy requester Value
> Is there a way that I can get the requester value for attribute-filter.xml from the IdP or is it easier to log a call with Adobe?
Absent any other unlikely weirdness in your configuration its the EntityID.
>> The Requester type is a PolicyRule which returns true if the name (generally the SAML entityID) of the system
requesting/receiving the attributes (usually an SP) matches a supplied string.