Skip to Content.
Sympa Menu

shibboleth-dev - Java SP AAP Bug?

Subject: Shibboleth Developers

List archive

Java SP AAP Bug?


Chronological Thread 
  • From: Nate Klingenstein <>
  • To: Shibboleth Development <>
  • Subject: Java SP AAP Bug?
  • Date: Mon, 31 Oct 2005 23:53:49 +0000

Maybe I'm missing something obvious. The results from the C++ version:

2005-10-31 23:50:24 INFO Shibboleth-TRANSACTION : New session (ID: _3a231daca3dae197bd6e53bf91715846) with (applicationId: default) for principal from (IdP: https://id.youngvillains.org/shibboleth) at (ClientAddress: 127.0.0.1) with (NameIdentifier: _9a720e7666be8ddfe534f44a670cf12e)
2005-10-31 23:50:24 INFO Shibboleth-TRANSACTION : Making attribute query for session (ID: _3a231daca3dae197bd6e53bf91715846) on (applicationId: default) for principal from (IdP: https:// id.youngvillains.org/shibboleth)
2005-10-31 23:50:25 INFO Shibboleth-TRANSACTION : Caching the following attributes after AAP applied for session (ID: _3a231daca3dae197bd6e53bf91715846) on (applicationId: default) for principal from (IdP: https://id.youngvillains.org/shibboleth) {
2005-10-31 23:50:25 INFO Shibboleth-TRANSACTION : urn:mace:dir:attribute-def:eduPersonScopedAffiliation (1 values)
2005-10-31 23:50:25 INFO Shibboleth-TRANSACTION : urn:mace:dir:attribute-def:eduPersonAffiliation (1 values)
2005-10-31 23:50:25 INFO Shibboleth-TRANSACTION : urn:mace:dir:attribute-def:eduPersonPrincipalName (1 values)
2005-10-31 23:50:25 INFO Shibboleth-TRANSACTION : }
2005-10-31 23:50:25 INFO Shibboleth-TRANSACTION : Successful attribute query for session (ID: _3a231daca3dae197bd6e53bf91715846)


For the Java version:

23:44 DEBUG Received the following SAML response as the response to the request to https://id.youngvillains.org:8443/shibboleth-idp/AA
<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http:// www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/ XMLSchema-instance" InResponseTo="_b14463d84ad3c10f2eff67b0ea6369cb" IssueInstant="2005-10-31T23:44:36.285Z" MajorVersion="1" MinorVersion="1" ResponseID="_d217e06e95141cac2e004ab0874260db"><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_7c042e01525f1b1364a2fa5945c810c8" IssueInstant="2005-10-31T23:44:36.284Z" Issuer="https:// id.youngvillains.org/shibboleth" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2005-10-31T23:44:36.284Z" NotOnOrAfter="2005-11-01T00:14:36.284Z"><AudienceRestrictionCondition><A udience>https://www.evil.edu/shibboleth</ Audience><Audience>urn:mace:shibboleth:trouble</Audience></ AudienceRestrictionCondition></ Conditions><AttributeStatement><Subject><NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="https://id.youngvillains.org/ shibboleth">_7eed6b39e96813a00f12e732dc666f7d</ NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names: tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></ Subject><Attribute AttributeName="urn:mace:dir:attribute- def:eduPersonScopedAffiliation" AttributeNamespace="urn:mace:shibboleth: 1.0:attributeNamespace:uri"><AttributeValue Scope="youngvillains.org">Student</AttributeValue></ Attribute><Attribute AttributeName="urn:mace:dir:attribute- def:eduPersonAffiliation" AttributeNamespace="urn:mace:shibboleth: 1.0:attributeNamespace:uri"><AttributeValue>Student</AttributeValue></ Attribute><Attribute AttributeName="urn:mace:dir:attribute- def:eduPersonPrincipalName" AttributeNamespace="urn:mace:shibboleth: 1.0:attributeNamespace:uri"><AttributeValue Scope="youngvillains.org">hijacker</AttributeValue></Attribute></ AttributeStatement></Assertion></Response>
23:44 DEBUG evaluating value for attribute (urn:mace:dir:attribute- def:eduPersonScopedAffiliation) from site (https:// id.youngvillains.org/shibboleth)
23:44 WARN attribute (urn:mace:dir:attribute- def:eduPersonScopedAffiliation) value explicitly denied by site rule, rejecting it
23:44 DEBUG evaluating value for attribute (urn:mace:dir:attribute- def:eduPersonAffiliation) from site (https://id.youngvillains.org/ shibboleth)
23:44 WARN attribute (urn:mace:dir:attribute- def:eduPersonAffiliation) value explicitly denied by site rule, rejecting it
23:44 DEBUG evaluating value for attribute (urn:mace:dir:attribute- def:eduPersonPrincipalName) from site (https://id.youngvillains.org/ shibboleth)
23:44 DEBUG site rule, value match
23:44 DEBUG scope match via site metadata

trouble-metadata.xml:

<AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
<Extensions>
<!-- This is a Shibboleth extension to express attribute scope rules. -->
<shibmd:Scope>youngvillains.org</ shibmd:Scope>
</Extensions>

As far as I can tell, the AAP.xml's are identical, but FWIW:

<AttributeRule Name="urn:mace:dir:attribute- def:eduPersonScopedAffiliation" Scoped="true" CaseSensitive="false" Header="Shib-EP-Affiliation" Alias="affiliation">
<!-- Filtering rule to limit values to eduPerson- defined enumeration. -->
<AnySite>
<Value>MEMBER</Value>
<Value>FACULTY</Value>
<Value>STUDENT</Value>
<Value>STAFF</Value>
<Value>ALUM</Value>
<Value>AFFILIATE</Value>
<Value>EMPLOYEE</Value>
</AnySite>



Archive powered by MHonArc 2.6.16.

Top of Page