Grouper Users - Open Discussion List

["Jie Lv" <>]

I checked the source code for
edu.internet2.middleware.grouper.Group.MemberDataConnector

Below is from line 190 to line 202 of the code.
190        MemberDataConnector.LOG.debug("resolve {} subjectIDs {}", msg,
MemberDataConnector.this.getSubjectAttributeIdentifiers());
191        for (AttributeIdentifier attributeIdentifier :
MemberDataConnector.this.getSubjectAttributeIdentifiers()) {
192          MemberDataConnector.LOG.debug("resolve {} member {} field {}",
new Object[] { msg, member, attributeIdentifier });
193          if
(subject.getSourceId().equals(attributeIdentifier.getSource()))
194          {
195            if (attributeIdentifier.getId().equals("name")) {
196              String name = subject.getName();
197              if (name != null) {
198                BasicAttribute nameAttribute = new
BasicAttribute("name");
199                nameAttribute.setValues(GrouperUtil.toList(new String[] {
name }));
200                attributes.put(nameAttribute.getId(), nameAttribute);
201              }
202            }

It seems to me that maybe something went wrong between line 199 and line
200.

Jie
-----Original Message-----
From: 

[mailto:]
 On Behalf Of Peter Schober
Sent: Thursday, September 22, 2011 4:13 PM
To: 

Subject: Re: [grouper-users] Problem with configuration of Grouper Plugin
for Shibboleth

* Jie Lv 
<>
 [2011-09-22 10:04]:
> 2011-09-22 15:57:28,989 DEBUG
>
[edu.internet2.middleware.grouper.shibboleth.attributeDefinition.GroupAttrib
> uteDefinition:94] - resolve '10101' ad 'isMemberOf' value
'pkuid:faculty:cc'

Not having seen Grouper's shib plugin before I would assume that to
mean that there is indeed a value for isMemberOf (btw, should that be
"as" in the log message, instead of "ad" above?).

> 2011-09-22 15:57:29,060 INFO [Shibboleth-Audit:898] -
>
20110922T075729Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_493b006
> 27
>
8b68a310c35a6d8f95bb93f|https://sp-chat.zzu6.edu.cn/shibboleth-sp/carsifed|u
> rn:mace:shibboleth:2.0:profiles:saml2:sso|https://idp2.p
>
ku.edu.cn/idp/shibboleth/carsifed|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-
> POST|_5e5be99e8bd569b99822e87506d849c8|10101|urn:oasis:n
>
ames:tc:SAML:2.0:ac:classes:unspecified|isMemberOf,transientId,carsifed:user
> name,|||

And this usually would mean that the attribute isMemberOf was in fact
released (the IdP usually filters our empty attributes which, again,
would hint at the existing value).
But obviously it's not part of the attribute statement you posted,
which looks like a bug somewhere (the IdP should not be logging it
sent isMemberOf in the audit.log when in fact it didn't).

> Still, it seems to me that Grouper Plugin could get isMemberOf
> attribute, but IdP failed to release it to SP.

I guess Tom will need to take this up with the Shib developers.
-peter