Skip to Content.
Sympa Menu

shibboleth-dev - Re: SAML attribute query exception

Subject: Shibboleth Developers

List archive

Re: SAML attribute query exception


Chronological Thread 
  • From: Nate Klingenstein <>
  • To:
  • Subject: Re: SAML attribute query exception
  • Date: Mon, 3 Dec 2007 04:05:18 +0000
Eric,

Assuming you are indeed being asked to authenticate and that's not misconfigured, this time you need an appropriate principal connector defined, and appropriate release for it configured.  In particular, in attribute-resolver.xml, you need something like:

    <resolver:PrincipalConnector xsi:type="Direct" xmlns="urn:mace:shibboleth:2.0:resolver:pc"
                                 id="saml1UnspecDirect"
                                 nameIDFormat="urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified" />

    <resolver:PrincipalConnector xsi:type="Direct" xmlns="urn:mace:shibboleth:2.0:resolver:pc"
                                 id="saml2UnspecDirect"
                                 nameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" />

and

    <resolver:AttributeDefinition id="principalName" xsi:type="PrincipalName" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
        <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                                   nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" />
        
        <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                                   nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" />
                                   
        <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                                   nameFormat="urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified" />
                                   
   </resolver:AttributeDefinition>

You will also need a release policy in attribute-filter.xml such as:

    <AttributeFilterPolicy id="releasePrincipalToAnyone">
        <PolicyRequirementRule xsi:type="basic:ANY" />

        <AttributeRule attributeID="principalName">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>
    </AttributeFilterPolicy>

There is no privacy preserved in those settings, but give them a try to see if the provider will function.
Nate.

On 3 Dec 2007, at 03:47, Yifan (Eric) Jiang wrote:

16:40:33.749 ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml1.AbstractSAML1ProfileHandler] Error resolving attributes for SAML request from relying party urn:mace:federation.org.au:bestgrid.org

edu.internet2.middleware.shibboleth.common.attribute.resolver.AttributeResolutionException: No principal connector available to resolve a subject name with format urn:mace:shibboleth:1.0:nameIdentifier for relying party urn:mace:federation.org.au:bestgrid.org




Archive powered by MHonArc 2.6.16.

Top of Page