Shibboleth Developers

[Chad La Joie <>]

Nate's right.  You can find documentation for this here:

https://spaces.internet2.edu/display/SHIB2/IdPNameIdentifier

Nate Klingenstein wrote:
> Eric,
>
> Assuming you are indeed being asked to authenticate and that's not 
> misconfigured, this time you need an appropriate principal connector 
> defined, and appropriate release for it configured.  In particular, in 
> attribute-resolver.xml, you need something like:
>
>     <resolver:PrincipalConnector xsi:type="Direct" 
> xmlns="urn:mace:shibboleth:2.0:resolver:pc"
>                                  id="saml1UnspecDirect"
>                                  
> nameIDFormat="urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified" />
>
>     <resolver:PrincipalConnector xsi:type="Direct" 
> xmlns="urn:mace:shibboleth:2.0:resolver:pc"
>                                  id="saml2UnspecDirect"
>                                  
> nameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" />
>
> and
>
>     <resolver:AttributeDefinition id="principalName" 
> xsi:type="PrincipalName" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
>         <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier" 
> xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
>                                    
> nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" />
>         
>         <resolver:AttributeEncoder xsi:type="SAML2StringNameID" 
> xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
>                                    
> nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" />
>                                    
>         <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier" 
> xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
>                                    
> nameFormat="urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified" />
>                                    
>    </resolver:AttributeDefinition>
>
> You will also need a release policy in attribute-filter.xml such as:
>
>     <AttributeFilterPolicy id="releasePrincipalToAnyone">
>         <PolicyRequirementRule xsi:type="basic:ANY" />
>
>         <AttributeRule attributeID="principalName">
>             <PermitValueRule xsi:type="basic:ANY" />
>         </AttributeRule>
>     </AttributeFilterPolicy>
>
> There is no privacy preserved in those settings, but give them a try to 
> see if the provider will function.
> Nate.
>
> On 3 Dec 2007, at 03:47, Yifan (Eric) Jiang wrote:
>
> > 16:40:33.749 ERROR 
> > [edu.internet2.middleware.shibboleth.idp.profile.saml1.AbstractSAML1ProfileHandler] 
> > Error resolving attributes for SAML request from relying party 
> > urn:mace:federation.org.au:bestgrid.org
> >
> > edu.internet2.middleware.shibboleth.common.attribute.resolver.AttributeResolutionException: 
> > No principal connector available to resolve a subject name with format 
> > urn:mace:shibboleth:1.0:nameIdentifier for relying party 
> > urn:mace:federation.org.au:bestgrid.org

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
 http://www.switch.ch