Skip to Content.
Sympa Menu

shibboleth-dev - RE: SAML attribute query exception

Subject: Shibboleth Developers

List archive

RE: SAML attribute query exception


Chronological Thread 
  • From: "Yifan (Eric) Jiang" <>
  • To: <>
  • Subject: RE: SAML attribute query exception
  • Date: Mon, 3 Dec 2007 17:34:17 +1300

Sorry, there was a typo in last email,

 

I mean I’ve added tomcatAuthentication="false" in /usr/local/tomcat/conf/server.xml for port 8009

 

Eric

 

From: Yifan (Eric) Jiang [mailto:]
Sent: Monday, 3 December 2007 5:18 p.m.
To:
Subject: RE: SAML attribute query exception

 

Hi Nate,

 

The attribute-resolver.xml that I used was downloaded from https://spaces.internet2.edu/download/attachments/5557/attribute-resolver.xml?version=2, and I only update the scope value. So the configuration of PrincipalConnector and AttributeDefinition of principalName are remained as default value, i.e. they have the same value as your suggestion.

 

In addition, I’ve added tomcatAuthentication="false" in tomcatAuthentication="false"

 

Thanks

 

Eric

 

From: Nate Klingenstein [mailto:]
Sent: Monday, 3 December 2007 5:05 p.m.
To:
Subject: Re: SAML attribute query exception

 

Eric,

 

Assuming you are indeed being asked to authenticate and that's not misconfigured, this time you need an appropriate principal connector defined, and appropriate release for it configured.  In particular, in attribute-resolver.xml, you need something like:

 

    <resolver:PrincipalConnector xsi:type="Direct" xmlns="urn:mace:shibboleth:2.0:resolver:pc"

                                 id="saml1UnspecDirect"

                                 nameIDFormat="urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified" />

 

    <resolver:PrincipalConnector xsi:type="Direct" xmlns="urn:mace:shibboleth:2.0:resolver:pc"

                                 id="saml2UnspecDirect"

                                 nameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" />

 

and

 

    <resolver:AttributeDefinition id="principalName" xsi:type="PrincipalName" xmlns="urn:mace:shibboleth:2.0:resolver:ad">

        <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"

                                   nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" />

        

        <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"

                                   nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" />

                                   

        <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"

                                   nameFormat="urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified" />

                                   

   </resolver:AttributeDefinition>

 

You will also need a release policy in attribute-filter.xml such as:

 

    <AttributeFilterPolicy id="releasePrincipalToAnyone">

        <PolicyRequirementRule xsi:type="basic:ANY" />

 

        <AttributeRule attributeID="principalName">

            <PermitValueRule xsi:type="basic:ANY" />

        </AttributeRule>

    </AttributeFilterPolicy>

 

There is no privacy preserved in those settings, but give them a try to see if the provider will function.

Nate.

 

 


Archive powered by MHonArc 2.6.16.

Top of Page