Grouper Users - Open Discussion List

[Peter Schober <>]

* Jie Lv 
<>
 [2011-09-22 09:25]:
> In relying-party.xml, I configured the idp to release the authn statement
> and attribute statement together.

That would be the default for SAML2 (so no need to change anything in
that regard in the Shibboleth IdP), but it's not true in your case,
see below.

> In idp-process.log, I got the following message:
> 2011-09-22 14:47:17,293 INFO [Shibboleth-Audit:898] -
> 20110922T064717Z|urn:oasis:names:tc:SAML:2.0:bindings:SOAP|_8186d5f25a2e9978
> 0e
> e7102bb08e3b4c|https://sp-chat.zzu6.edu.cn/shibboleth-sp/carsifed|urn:mace:s
> hibboleth:2.0:profiles:saml2:query:attribute|https://idp
> 2.pku.edu.cn/idp/shibboleth/carsifed|urn:oasis:names:tc:SAML:2.0:bindings:SO
> AP|_8325d826b3609fbe4d1534d020bcb008|10101||isMemberOf,transientId,|||
> 
> But on the shibd.log in the SP, I could see the text of the assertions:
[...]
> </saml:AuthnStatement></saml:Assertion>
> 
> There was NO attribute named "isMemberOf"

You're looking in the wrong place: The assertion you posted is missing
the complete <saml:AttributeStatement>, which would come
after the <saml:AuthnStatement> in the <saml:Assertion>, so the IdP is
*not* sending it with the authentication assertion. But it should be
included in the SP's log a bit further down, I would expect.

Also you can see the reference to
"urn:mace:shibboleth:2.0:profiles:saml2:query:attribute" in the IdP's
audit.log, so there was an attribute query from the SP and only there
was the attribute transferred (hence it's entry in the audit log, even
though it wasn't included in the assertion you posted).

So your Shib configuration is off in that you don't send attribute
statements over the browser, but it's working since the SP does
default does attribute queries if no attributes were recieved during
SSO.
Which now probably begs the question how you came to determine that
the attribute was not recieved in the SP. Did you check the SP's
transaction.log or the session handler (by default at
/Shibboleth.sso/Session after login).

Either way, this is not on the Grouper (or Grouper plugin) side of
things.
-peter