shibboleth SAML released attributes not in HTTP header

StackOverflow https://stackoverflow.com/questions/18767511

  •  28-06-2022
  •  | 
  •  

Pergunta

I'm acting as a service provider in a Shibboleth SSO interaction. I'm successfully getting back the SAML response with the expected attributes inside. However, these attributes are not showing up in the /Shibboleth.sso/Session Attributes list.

I have the <MetadataProvider> tag in the shibboleth.xml file. I'm wondering what else I could be doing wrong?

In the shibd.log I see the following:

skipping unmapped SAML 2.0 Attribute with Name: xxxx, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
skipping unmapped SAML 2.0 Attribute with Name: yyyy

EDIT - I also added to attribute-map.xml:

<Attribute Name="xxxx" id="xxxx" />
<Attribute Name="yyyy" id="yyyy" />

The attributes do not have fully qualified names in the IdP's metadata.xml. The names are just "xxxx" and "yyyy". Does this matter?

Finally, in the IdP's metadata.xml, they have this:

<saml:Attribute Name="xxxx" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
<saml:Attribute Name="yyyy" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
Foi útil?

Solução 2

I believe I have solved it. In the attribute-map.xml I had to add:

<Attribute name="xxxx" id="xxxx">
  <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$Name" defaultQualifiers="true"/>
</Attribute>
<Attribute name="yyyy" id="yyyy">
  <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$Name" defaultQualifiers="true"/>
</Attribute>

See here: NativeSPAttributeDecoder

Outras dicas

From Shibboleth documentation:

The SAML V2.0 LDAP/X.500 Attribute Profile specifies that X.500/LDAP attributes be named by utilizing the urn:oid namespace. These names are simply constructed using the string urn:oid followed by the OID defined for the attribute.

So definitely you need to use OID for attribute names, attribute-map.xml has lots of examples.

For custom attributes that are specific to some IdP they will have to supply you with OIDs to use.

Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top