SP not getting attributes

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

SP not getting attributes

Lohr, Donald
One of our developer is working on an on-prem SP and has the following he can not resolve:

IdP configured and releases the correct 3 attributes in SAML-tracer:

<saml2:AttributeStatement>
       <saml2:Attribute FriendlyName="cn" Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">DemoID</saml2:AttributeValue>
          </saml2:Attribute>
          <saml2:Attribute FriendlyName="acmeGroups" Name="acmeGroups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">acme-RO</saml2:AttributeValue>
                    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">acme-RW</saml2:AttributeValue>
              . . .
          </saml2:Attribute>
          <saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Demo</saml2:AttributeValue>
          </saml2:Attribute>
</saml2:AttributeStatement>


The SP attribute-map.xml contains the following:

<Attribute name="urn:oid:2.5.4.3" id="cn"/>
<Attribute name="urn:oid:2.5.4.4" id="sn"/>
<Attribute name="acmeGroups" id="acmeGroups" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>


The SP’s shibd.log has the following when an auth is successful:
 

2020-01-23 16:13:40 INFO Shibboleth.AttributeExtractor.XML [136] [default]: skipping unmapped SAML 2.0 Attribute with Name: acmeGroups
2020-01-23 16:13:40 INFO Shibboleth.AttributeExtractor.XML [136] [default]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.4
2020-01-23 16:13:40 INFO Shibboleth.SessionCache [136] [default]: new session created: ID (_047fedc8ff4c37dc200fdc95d313d02f) . . .

 
Suggestions?




Thanks,
Don
-- 
D o n a l d   L o h r
 I n f o r m a t i o n   S y s t e m s
 J a m e s   M a d i s o n   U n i v e r s i t y
 5 4 0 . 5 6 8 . 3 7 3 0


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SP not getting attributes

Cantor, Scott E.
On 1/23/20, 5:09 PM, "users on behalf of Lohr, Donald" <[hidden email] on behalf of [hidden email]> wrote:

> Suggestions?

That isn't the attribute-map configuration it's using most likely. Occam's Razor.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SP not getting attributes

Peter Schober
In reply to this post by Lohr, Donald
* Lohr, Donald <[hidden email]> [2020-01-23 23:09]:
> <saml2:Attribute FriendlyName="*acmeGroups*" Name="acmeGroups"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

Note that unless the actual "acmeGroups" attribute name really is an
URI the above is not appropriate. You'd use "basic" naming for such
values (and again in the attribute map at the SP).

But your map entries matche those, so that's not the reason for the
"skipping unmapped" events.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]