Shibboleth Developers

[<>]

Thanks for the help (the testing tools were a big help).  I have SSO
working now, but I can't seem to figure out the attribute filtering in
Shib 2.  I have an attribute statement and authn statement in the SSO
SAML response.  The logged SAML response looks good, and login occurs,
but the attribute my IDP sent is not exported into my environment.  I
see this in the log, which I am interpretting to mean the attribute
filter is getting rid of the attribute that I sent:

2007-07-30 10:56:08 DEBUG Shibboleth.SP.AttributeFilter [2]: filtering 1
attribute(s) from (myidp)

I looked at the two configuration files, attribute-map.xml and
attribute-policy.xml, but I did not find them completely self
explanatory.  I tried adding some specific rules for the attribute, I am
sending, but I have had no luck in changing the behavior.  Is there any
documentation for these two files or known issues regarding attribute
exporting? 

Thanks,
Jeff

-----Original Message-----
From: Scott Cantor 
[mailto:]
 
Sent: Friday, July 27, 2007 5:17 PM
To: 

Subject: RE: Shib 2 - SP Question

> 1) What logging options do I need to turn on to get Shib 2 to show me 
> the SAML Request in the logfiles?  Currently all I see is:
> 
> I tried turning up everything to debug, but either I am missing a 
> setting somewhere or this is not something that will get logged.

I don't see any code that would be logging it so I don't think it gets
dumped. Logging is a work in progress and I haven't decided yet where
that sort of thing should be dumped, SP or OpenSAML.

> 2) How does the bindingTemplate.html work in regards to this process.

> I editted it to turn off auto-submit thinking that would allow me to 
> inspect the generated request prior to transmission, but upon 
> accessing a protected url at my SP, I still get automatically 
> redirected to the Ping IDP.

The template applies to POST, not redirect. The redirect binding uses a
302.
I don't currently have a meta-refresh option, as it technically isn't
compliant to do that.

> I do not know if the signature is a problem, but I do think the 
> SAMLRequest that shows up at the Ping IDP is not encoded correctly.  I

> would expect base64, but when I stop the Ping IDP from 
> auto-redirecting back to Shibboleth on failure I see an encoded SAML 
> Request, but it includes control characters, so it's not base64.

I doubt if that's what was sent. This all worked before when we tested
early, so I don't think anything that blatant has been broken in the
meantime. Note that the SAMLRequest is not just base64'd, it's also URL
encoded after that.

-- Scott