Shibboleth Developers

["Scott Cantor" <>]

> SAML response.  The logged SAML response looks good, and login occurs,
> but the attribute my IDP sent is not exported into my environment.  I
> see this in the log, which I am interpretting to mean the attribute
> filter is getting rid of the attribute that I sent:
> 
> 2007-07-30 10:56:08 DEBUG Shibboleth.SP.AttributeFilter [2]: filtering 1
> attribute(s) from (myidp)

Wrong interpretation. That's a DEBUG message indicating it found a rule that
applied to the attribute (I'll reword it). If it was removing anything, it
would WARN.

> I looked at the two configuration files, attribute-map.xml and
> attribute-policy.xml, but I did not find them completely self
> explanatory.  I tried adding some specific rules for the attribute, I am
> sending, but I have had no luck in changing the behavior.  Is there any
> documentation for these two files or known issues regarding attribute
> exporting?

I have no idea what's documented, I haven't even looked. The filtering
language is the same as the one used in the IdP and by default I included a
wildcard rule that passes through any attribute it doesn't have a rule for
(but that can be removed of course).

        <afp:AttributeRule attributeID="*">
            <afp:PermitValueRule xsi:type="ANY"/>
        </afp:AttributeRule>

So I don't think it's filtering anything behind you, unless there's a bug.

By default, whatever the "id" is for the attribute in the attribute map
(technically that's the extractor file), that's the environment variable
you'll get. Assuming this is Apache anyway. They're often case sensitive
like with Java servlets, I've noticed, though not on Windows.

If you want headers like before, use IIS or set ShibUseEnvironment Off.

-- Scott