Skip to Content.
Sympa Menu

shibboleth-dev - Re: Beta IdP: No principal attribute supports an encoding into a supported name ID format

Subject: Shibboleth Developers

List archive

Re: Beta IdP: No principal attribute supports an encoding into a supported name ID format


Chronological Thread 
  • From: Lukas Haemmerle <>
  • To:
  • Subject: Re: Beta IdP: No principal attribute supports an encoding into a supported name ID format
  • Date: Mon, 24 Sep 2007 16:34:30 +0200
  • Organization: SWITCH - Serving Swiss Universities

> I have a similar issue - I enterred this case while I look at it further.
>
> https://bugs.internet2.edu/jira/browse/SC-23
>
> You might (or but probably will not) get further if you release an
> attribute which is the same one that you are using to look up the LDAP
> with (so in my case I'm filtering
> "sAMAccountName=$requestContext.principalName" and so I release
> sAMAccountName)

My principal is uid, so my filter is:
uid=$requestContext.principalName

I also uncommented the AttributeDefinition with id="uid" and adapted the
attribute-filter.xml to release the uid as well.

Now the SP gets an assertion like :

<samlp:Response IssueInstant="2007-09-24T14:28:46.339Z" MajorVersion="1"
MinorVersion="1"
Recipient="https://kelimutu.switch.ch/Shibboleth.sso/SAML/POST";
ResponseID="_0d146497871407c8003bc38fc481abc3"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
<samlp:Status>
<samlp:StatusCode Value="samlp:Success" />
</samlp:Status>
<saml:Assertion AssertionID="_2f4a68d6976ce6a8ce0f0969d2fde2e0"
IssueInstant="2007-09-24T14:28:46.339Z"
Issuer="urn:mace:switch.ch:aaitest:lewotolo.switch.ch" MajorVersion="1"
MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2007-09-24T14:28:46.339Z"
NotOnOrAfter="2007-09-24T14:33:46.339Z" />
<saml:AuthenticationStatement
AuthenticationInstant="2007-09-24T14:28:45.923Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified">
<saml:Subject>
<saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified">
demouser
</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:SubjectLocality DNSAddress="130.59.6.143" IPAddress="130.59.6.143" />
</saml:AuthenticationStatement>
</saml:Assertion>
</samlp:Response>

Of course it complains that nothing is signed. I also find it a bit
strange that the principal name is used as nameidentifier in plain text
but this most probably is https://bugs.internet2.edu/jira/browse/SC-23 ,
which is not yet fixed.

Lukas

--
SWITCH
Serving Swiss Universities
--------------------------
Lukas Haemmerle, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 64, fax +41 44 268 15 68
,
http://www.switch.ch



Archive powered by MHonArc 2.6.16.

Top of Page