Grouper Users - Open Discussion List

[Peter Schober <>]

* Jie Lv 
<>
 [2011-09-22 10:04]:
> 2011-09-22 15:57:28,989 DEBUG
> [edu.internet2.middleware.grouper.shibboleth.attributeDefinition.GroupAttrib
> uteDefinition:94] - resolve '10101' ad 'isMemberOf' value 'pkuid:faculty:cc'

Not having seen Grouper's shib plugin before I would assume that to
mean that there is indeed a value for isMemberOf (btw, should that be
"as" in the log message, instead of "ad" above?).

> 2011-09-22 15:57:29,060 INFO [Shibboleth-Audit:898] -
> 20110922T075729Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_493b006
> 27
> 8b68a310c35a6d8f95bb93f|https://sp-chat.zzu6.edu.cn/shibboleth-sp/carsifed|u
> rn:mace:shibboleth:2.0:profiles:saml2:sso|https://idp2.p
> ku.edu.cn/idp/shibboleth/carsifed|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-
> POST|_5e5be99e8bd569b99822e87506d849c8|10101|urn:oasis:n
> ames:tc:SAML:2.0:ac:classes:unspecified|isMemberOf,transientId,carsifed:user
> name,|||

And this usually would mean that the attribute isMemberOf was in fact
released (the IdP usually filters our empty attributes which, again,
would hint at the existing value).
But obviously it's not part of the attribute statement you posted,
which looks like a bug somewhere (the IdP should not be logging it
sent isMemberOf in the audit.log when in fact it didn't).

> Still, it seems to me that Grouper Plugin could get isMemberOf
> attribute, but IdP failed to release it to SP.

I guess Tom will need to take this up with the Shib developers.
-peter