Shibboleth Developers

[Nate Klingenstein <>]

Maybe I'm missing something obvious.  The results from the C++ version:

2005-10-31 23:50:24 INFO Shibboleth-TRANSACTION : New session (ID:  
_3a231daca3dae197bd6e53bf91715846) with (applicationId: default) for  
principal from (IdP: https://id.youngvillains.org/shibboleth) at  
(ClientAddress: 127.0.0.1) with (NameIdentifier:  
_9a720e7666be8ddfe534f44a670cf12e)
2005-10-31 23:50:24 INFO Shibboleth-TRANSACTION : Making attribute  
query for session (ID: _3a231daca3dae197bd6e53bf91715846) on  
(applicationId: default) for principal from (IdP: https:// 
id.youngvillains.org/shibboleth)
2005-10-31 23:50:25 INFO Shibboleth-TRANSACTION : Caching the  
following attributes after AAP applied for session (ID:  
_3a231daca3dae197bd6e53bf91715846) on (applicationId: default) for  
principal from (IdP: https://id.youngvillains.org/shibboleth) {
2005-10-31 23:50:25 INFO Shibboleth-TRANSACTION :        
urn:mace:dir:attribute-def:eduPersonScopedAffiliation (1 values)
2005-10-31 23:50:25 INFO Shibboleth-TRANSACTION :        
urn:mace:dir:attribute-def:eduPersonAffiliation (1 values)
2005-10-31 23:50:25 INFO Shibboleth-TRANSACTION :        
urn:mace:dir:attribute-def:eduPersonPrincipalName (1 values)
2005-10-31 23:50:25 INFO Shibboleth-TRANSACTION : }
2005-10-31 23:50:25 INFO Shibboleth-TRANSACTION : Successful  
attribute query for session (ID: _3a231daca3dae197bd6e53bf91715846)


For the Java version:

23:44 DEBUG Received the following SAML response as the response to  
the request to https://id.youngvillains.org:8443/shibboleth-idp/AA
<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"  
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"  
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http:// 
www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/ 
XMLSchema-instance" InResponseTo="_b14463d84ad3c10f2eff67b0ea6369cb"  
IssueInstant="2005-10-31T23:44:36.285Z" MajorVersion="1"  
MinorVersion="1"  
ResponseID="_d217e06e95141cac2e004ab0874260db"><Status><StatusCode  
Value="samlp:Success"></StatusCode></Status><Assertion  
xmlns="urn:oasis:names:tc:SAML:1.0:assertion"  
AssertionID="_7c042e01525f1b1364a2fa5945c810c8"  
IssueInstant="2005-10-31T23:44:36.284Z" Issuer="https:// 
id.youngvillains.org/shibboleth" MajorVersion="1"  
MinorVersion="1"><Conditions NotBefore="2005-10-31T23:44:36.284Z"  
NotOnOrAfter="2005-11-01T00:14:36.284Z"><AudienceRestrictionCondition><A 
udience>https://www.evil.edu/shibboleth</ 
Audience><Audience>urn:mace:shibboleth:trouble</Audience></ 
AudienceRestrictionCondition></ 
Conditions><AttributeStatement><Subject><NameIdentifier  
Format="urn:mace:shibboleth:1.0:nameIdentifier"  
NameQualifier="https://id.youngvillains.org/ 
shibboleth">_7eed6b39e96813a00f12e732dc666f7d</ 
NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names: 
tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></ 
Subject><Attribute AttributeName="urn:mace:dir:attribute- 
def:eduPersonScopedAffiliation"  
AttributeNamespace="urn:mace:shibboleth: 
1.0:attributeNamespace:uri"><AttributeValue  
Scope="youngvillains.org">Student</AttributeValue></ 
Attribute><Attribute AttributeName="urn:mace:dir:attribute- 
def:eduPersonAffiliation" AttributeNamespace="urn:mace:shibboleth: 
1.0:attributeNamespace:uri"><AttributeValue>Student</AttributeValue></ 
Attribute><Attribute AttributeName="urn:mace:dir:attribute- 
def:eduPersonPrincipalName" AttributeNamespace="urn:mace:shibboleth: 
1.0:attributeNamespace:uri"><AttributeValue  
Scope="youngvillains.org">hijacker</AttributeValue></Attribute></ 
AttributeStatement></Assertion></Response>
23:44 DEBUG evaluating value for attribute (urn:mace:dir:attribute- 
def:eduPersonScopedAffiliation) from site (https:// 
id.youngvillains.org/shibboleth)
23:44 WARN  attribute (urn:mace:dir:attribute- 
def:eduPersonScopedAffiliation) value explicitly denied by site rule,  
rejecting it
23:44 DEBUG evaluating value for attribute (urn:mace:dir:attribute- 
def:eduPersonAffiliation) from site (https://id.youngvillains.org/ 
shibboleth)
23:44 WARN  attribute (urn:mace:dir:attribute- 
def:eduPersonAffiliation) value explicitly denied by site rule,  
rejecting it
23:44 DEBUG evaluating value for attribute (urn:mace:dir:attribute- 
def:eduPersonPrincipalName) from site (https://id.youngvillains.org/ 
shibboleth)
23:44 DEBUG site rule, value match
23:44 DEBUG scope match via site metadata

trouble-metadata.xml:

                <AttributeAuthorityDescriptor  
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
                        <Extensions>
                                <!-- This is a Shibboleth extension  
to express attribute scope rules. -->
                                <shibmd:Scope>youngvillains.org</ 
shibmd:Scope>
                        </Extensions>

As far as I can tell, the AAP.xml's are identical, but FWIW:

        <AttributeRule Name="urn:mace:dir:attribute- 
def:eduPersonScopedAffiliation" Scoped="true" CaseSensitive="false"  
Header="Shib-EP-Affiliation" Alias="affiliation">
                <!-- Filtering rule to limit values to eduPerson- 
defined enumeration. -->
        <AnySite>
            <Value>MEMBER</Value>
            <Value>FACULTY</Value>
            <Value>STUDENT</Value>
            <Value>STAFF</Value>
            <Value>ALUM</Value>
            <Value>AFFILIATE</Value>
            <Value>EMPLOYEE</Value>
        </AnySite>