Shibboleth Developers

[<>]

Thanks Nate and Scott for the help.  I had a variety of problems, and I might have missed some useful error messages as I switched my configuration around a bit too aggressively when I first had problems.  I did eventually figure things out and got everything working.  I do have a few things to report that might be useful:

 

In the AttributeMap file, one field must be populated (and correctly) or the attribute is thrown away, it is the "nameFormat" field.  If it is missing or populated incorrectly (I had it missing and used "unspecified" before I finally populated it correctly), the attribute is filtered out of the assertion and as far as I can tell nothing shows up in the logfile to mention the assertion is being ignored.  As an example two entries from my attribute-map.xml:

 

        <Attribute name="TestAttribute"  id="testattr"/>
        <Attribute name="TestAttribute2" id="testattr2" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>

TestAttribute does not get exported to the environment and there is no mention in the logfile that it is being filtered out.  If I add the nameFormat to that map entry, it arrives fine.  Seems like it might be useful to update the documentation to note how significant the nameFormat is, and/or change the SP filtering code if this behavior is too stringent.

 

The second thing might be more of a discussion topic (and I have a feeling the natural response is going to be, that the IDP I am using is not following the standards, and while that may be true, it seems like this might be something the SP should handle).  When an attribute is sufficiently "complex", this IDP escapes the attribute with a CDATA wrapper (<![CDATA[<data here>]]>).  The question I guess is how should the Shibboleth SP handle attribute values presented in this way?

 

Currently, the SP determines the attribute has no value (I guess it attempts to parse it and the parser skips the data because parsers are supposed to skip data marked this way) and filters it out, and so I don't get the attribute in my environment.

 

Thanks,
Jeff

 

---

From: Nate Klingenstein [mailto:]
Sent: Monday, July 30, 2007 12:35 PM
To:
Subject: Re: Shib 2 - SP Question

https://spaces.internet2.edu/display/SHIB2/NativeSPAttributeMapXML

There is no documentation specific to the SP's attribute filter policies, but there is general information about the structure and function of attribute filter policies:

https://spaces.internet2.edu/display/SHIB2/AFPAttributeFilterPolicy

Hopefully these are useful; if they're not, please feel free to send me suggestions or edit the pages yourself as you discover things.

On 30 Jul 2007, at 15:32, <> wrote:

I looked at the two configuration files, attribute-map.xml and

attribute-policy.xml, but I did not find them completely self

explanatory.